Last year, Carberp emerged on the online banking fraud scene as a competitor to the dominant financial malware platforms Zeus and SpyEye.
Trusteer recently discovered a configuration of Carberp that targets Free, a French broadband ISP. The attack is designed to steal debit card and bank information using a Man in the Browser (MitB) attack.
Free offers an ADSL service, called Freebox, to its customers. When subscribers visit their online account page Carberp launches an HTML Injection attack after the user has logged-in. The victim is presented with a page that claims Free is having a problem processing their monthly subscription payments with the financial institution, and requests that the user update their payment account details.
The malware then asks the user to submit their payment card number, expiration date, security code (CVV2), bank name, bank address, zip code and city. The victim is told that this information must be updated in order to make monthly payments and maintain their service.
“This latest Carberp attack is another example of fraudsters moving downstream from online banking applications to web sites that process debit and credit card payments”, said Tanya Shafir, researcher at Trusteer. “By launching MitB attacks that target customers of third party service providers, rather than the banks themselves, fraudsters can prey on the trust established between the victim and a non-financial entity like an ISP. Furthermore, most of us are extremely reliant on broadband services for work, entertainment, and shopping. When faced with the prospect of having our Internet connection turned off for not paying the monthly bill, it is easy to see how even the most security conscious users could fall prey to this type of scam.”
Fraudsters continue to demonstrate both creativity and resourcefulness in their choice of targets. As financial institutions tighten the security around their online banking applications, Trusteer expects criminals will increasingly target customers that pay for third party services on line.
Stealing credit and debit card information allows them to commit low risk and high reward card not present fraud.
“The one variable that does not change whether a MitB attack targets an online banking application or an ISP account management application is the scene of the crime. In both situations, the fraud is made possible by hijacking the web session at the endpoint. Whether the target website belongs to a wireless phone company, newspaper publisher, grocery store, etc., doesn’t matter. Protecting the browser is key to defeating the next attack being dreamed up by fraudsters,” said Shafir.