Verizon SpyEye attack reveals PCI shortcomings
Trusteer has recently discovered a configuration of the SpyEye Trojan targeting Verizons online payment page and attempting to steal payment card information. The attack took place between May 7th and 13th.
Amit Klein, Trusteer's CTO explained that, “SpyEye uses a technique called “HTML injection” to modify the pages presented in the victim’s browser, in this particular case the injected HTML is used to capture the following credit card related data. The attack is invisible to Verizon customers since the malware waits for the user to logon and access their billing page and only then injects an authentic-looking replica webpage that requests this information. Since the user has logged on and has navigated to the familiar billing page they have no reason to suspect this request for payment information is suspicious.”
The information stolen includes:
First name, last name
Street address, City, state, zip
Phone number, phone type
Country of citizenship
Social Security Number
Date of Birth
Mother’s Maiden Name
Card number, expiration date and CVV
While this attack is not technically new, it continues a financial malware trend we have been tracking in recent weeks: a shift away from stealing usernames and passwords to stealing payment and credit card data. This practice allows criminals to commit card non present fraud on the Internet, and also makes it more difficult for banks to identify the source of fraudulent transactions since they cannot trace it back to a specific computer.
Klein continued, “Whether it’s on consumer machines, call center computers, or point of sale systems, attackers are targeting endpoints to steal readily available payment card data. This trend is exposing a major shortcoming in the Payment Card Industry Data Security Standard (PCI-DSS), which only requires endpoints to be running anti-virus software. As we have seen, anti-virus software is unable to effectively defend against zero day attacks.”
“There’s no easy answer, since most endpoints used to enter payment and credit card data are outside the control of the merchants who process the transactions. One model to consider is the path taken by the growing legion of banks that are supplementing backend risk and fraud management systems with end-user education and browser-based security tools”, he said.
“With the growing incidence of payment and credit card theft targeting the online properties of service providers, merchants, and e-commerce vendors, the payment card industry should take a closer look at endpoints as the emerging “weak link” in protecting card data against theft and fraud,”
Blog7 Deadly Posting Sins On LinkedIn
Bubble Wrap Up: Top 5 Developer Jobs - March 2016
10 Lessons We Can Learn From Real Cover Letters
Bubble Wrap Up: Top 5 Web Content Jobs - March 2016
5 Things You Should/Shouldnât Include On Your CV
Bubble Wrap Up: Top 5 Jobs - March 2016
Should Digital Employees Stay In The UK or Move Abroad?
Bubble Wrap-Up: Top 5 Digital Marketing Jobs - March 2016
10 Digital Jobs That Didnât Exist 10 Years Ago
Bubble Wrap-Up: Top 5 SEO and Search Marketing Jobs - February 2016