UK second on SpyEye banking Trojan hit list, study shows

The UK is second only to the US on the hit list of cyber criminals targeting financial institutions with the personal and banking information-stealing Trojan

The UK is second only to the US on the hit list of cyber criminals targeting financial institutions with the personal and banking information-stealing SpyEye Trojan, according to research.

Some 60% of the SpyEye bots target customers of financial institutions in the US, followed by the UK (53%), Canada (31%), Germany (29%), and Australia (20%), according to security firm Trusteer.

Other destinations targeted by more than 10% of SpyEye bots include Ireland, Italy, Spain, France, Portugal, Turkey, India and Russia.

Research findings from the Trusteer Situation Room and anomaly detection service Pinpoint indicate that the number of financial institutions and countries targeted by the SpyEye Trojan is growing.

In May, SpyEye added targets in the Middle East including Saudi Arabia, Bahrain and Oman. In June, financial institutions in Venezuela, Belarus, Ukraine, Moldova, Estonia, Latvia, Finland, Japan, Hong Kong and Peru were attacked.

One of the hallmarks of SpyEye is that it is designed to evade transaction monitoring systems that rely on detecting abnormal behaviour, with full new versions released as often as every week.

SpyEye is also an extremely aggressive Trojan, with early versions of the malware including a feature to remove the competing Zeus banking Trojan from infected host machines.

"Some of the changes our risk analysis teams are seeing include some very significant improvements to the core SpyEye technology," says Mickey Boodaei, chief executive officer at Trusteer.

The SpyEye author's ability to rapidly react and improve the software should be a major concern to anyone who already is, and who may be, on SpyEye's target list, he says.

Financial institutions should monitor development in the SpyEye toolkit and pay close attention to SpyEye attack vectors that target their brand, as well as new SpyEye attacks that target other financial institutions, says Boodaei.

The intelligence from this process should be included in the financial institution's security controls such as anomaly detection and endpoint protection.

"The ability to react fast to SpyEye's changes in pattern is, we believe, key to an effective fraud prevention architecture against this dangerous toolkit," he says.

In June, Virgin Media became the first UK internet service provider to warn customers their PCs are infected with a virus when it sent letters to 1,500 customers, warning them they had been targeted by the SpyEye Trojan.

Virgin Media said it had been alerted to the malware infection by the Serious and Organised Crime Agency. The agency identified Virgin Media customers as targets while investigating criminal botnets.

Read more on Antivirus, firewall and IDS products

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.