Posted by Virus Bulletin on Jun 17, 2011
SpyEye configuration intercepts personal data submitted to legitimate websites.
Security researchers have uncovered a version of the 'SpyEye' trojan that steals credit card and bank account details from visitors of two air travel websites.
SpyEye, like 'Zeus' (which some researchers believe it is related to), is an advanced exploit kit whose 'customers' use can configure it to their needs and use it, for instance, to create a small botnet with a specific purpose. It shares many similarities with legitimate software, such as version numbers and support forums, and shows how professionally today's online criminals operate.
This particular SpyEye configuration, found by researchers at Trusteer, injects code on the client-side when infected users visit two particular websites: Air Berlin and Air Plus. The former is Germany's second and Europe's sixth largest airline, the latter offers various services for airline travellers. In both cases, visitors to the website are likely to submit credit card or bank account details and other personal information, which the trojan intercepts.
Those who have followed developments in online crime will not be surprised by this as there is a common trend among criminals to target users of specific services with tailored malware. While user awareness continues to be important, it is no longer sufficient just to be able to spot the difference between legitimate and phishing websites.