We have uncovered a SpyEye configuration that targets users of two leading European airline travel Web sites: Air Berlin, the second largest airline in Germany (after Lufthansa) and AirPlus, the global provider of business travel services for companies. SpyEye exploits the user’s machine, not the websites, to carry out this fraud.
The attack subjects are far from randomly selected, but are, we believe, carefully chosen for their criminal revenue potential. One site accepts debit card payments, while the other caters to business users.
Air Berlin, now Europe’s sixth-largest airline, not only accepts debit and credit cards, but for Austrian, Dutch and German citizens, allows travellers to pay by bank direct debit seven days before travelling.
This means that criminals targeting an Air Berlin traveller from these countries stand a good chance of obtaining the personal details of the user – including their date of birth, which is mandatory on the airline’s site – as well as their bank account details.
Air Plus, meanwhile, offers a variety of travel services for companies of all sizes via their website, all paid for by business payment cards, which are invariably linked to business bank accounts.
Since corporate accounts tend to carry much higher balances (or credit limits) than consumer accounts, they have much greater cybercriminal revenue potential from a data harvesting perspective.
In the case of the Air Berlin attack, SpyEye is attempting to harvest confidential user information including username and password, and other data that is entered in the targeted web page. Since Air Berlin accepts bank debit card payments, the fraud potential is even more elevated.
The injection code of SpyEye captures the information on username and password details:
<Data><![CDATA[<iframe name=ifr1 id=ifr1 src=”https://www.airberlin.com/site/images/spacer.gif” width=0 height=0 border=none>
<form id=form7 name=form7 target=ifr1 method=post action=”https://www.airberlin.com/site/images/spacer.gif“>
<input type=”hidden” name=”cc” id=”cc” />
<input type=”hidden” name=”pas” id=”pas” />
The AirPlus attack methodology, meanwhile, targets users of the Lufthansa Miles & More Visa credit card which offers bonus travel for purchases made using the card.
Similar to the Air Berlin attack, the SpyEye code targets the main login URL of the AirPlus portal:
In this instance, SpyEye injects code into the users’ Web browser that claims to be an anti-fraud enhancement to the online:
In reality, of course, this is a cleverly-disguised attempt to phish user credentials from the unsuspecting customer of the AirPlus Web portal.
These credentials are quite comprehensive and include the card name and number, expiration date, CVV (signature strip) number and – as with the Air Berlin attack – the user’s date of birth.
The harvesting of the user’s date of birth opens up the possibility of identity theft and – we have observed – committing fraud by impersonating the user and using social engineering attack methods (is this referring to a recent blog?)
It is important to understand that cybercrime is now highly organised, with specialisation of duties between different members of the criminal hierarchy.
This means that the darkware coding gangs behind these variants of SpyEye are now carefully choosing their targets for maximum revenue yield with minimal effort.
In addition, by enhancing the fraudulent data yield from each victim, the possibilities for resale of data go way beyond that of the carder forums seen in the last few years.
We believe that the cybercriminal gang(s) behind these attacks are almost certainly using a semi-automated methodology of code development, allowing them to develop customised versions of the malware for specific purposes.
Clearly the travel trade offers cybercriminals access to user and company account credentials with larger-than-normal account balances and credit card limits.
The additional fraud sweetener of also gaining access to Air Berlin bank account details in Austria, Germany and the Netherlands is an indication of targeting ingenuity.
Unfortunately, traditional antivirus security mechanisms are largely unable to protect corporate users from becoming infected with SpyEye as it uses targeted reconnaissance combined with signature detection evasion techniques to get a foothold inside computers.
A better alternative for protecting web based services is to implement secure web access. For example, browser-based security tools that secure communication between the computer and cloud service provider website can prevent common attack methods like HTML injection and keylogging from grabbing data. These same technologies can be used to protect other browser-based applications like VPNs, CRM, retail, financial and collaboration systems that can be exploited by malware to steal user credentials and breach an enterprise’s security perimeter completely undetected.
We expect to see more specialised versions of SpyEye shortly.