Crooks focus operations on Rio 2016 Olympics

Aug 17, 2016 01:55 GMT  ·  By

Banking trojan Sphinx, also known as Zeus Sphinx, has received an update that allows it to target Brazilian banks and Boleto payments, a move driven without a doubt by the Olympic Games currently taking place in Rio.

The Sphinx banking trojan is one of the less known Zeus variants that appeared in 2011, when an unhappy customer leaked the Zeus banking trojan source code online.

Happy first birthday, Sphinx!

Sphinx appeared in the month of August 2015, and in the beginning, it targeted mainly banks in the UK, as IBM X-Force reported last October.

The trojan is the work of a Russian-speaking malware developer, who initially was selling his "baby" for $500 per binary.

Just like all the Zeus offsprings, Sphinx relies on web injects that overlay fake web pages inside browsers and then exfiltrate collected data via a hidden virtual network computing (VNC) connection.

Sphinx now has a Brazilian edition

With its latest update, Sphinx now includes web inject configurations that can target the web portal of three of Brazil's top banks, along with Boleto payment services (money ordering service).

Sphinx also supports a multi-step injection that combines social engineering, allowing crooks to manipulate users and collect authentication codes from card readers.

IBM reports that crooks also use web injects to trick users into downloading mobile apps on their smartphones that will steal transaction authentication codes sent from the bank via SMS.

Rio Olympics have brought the cyber underworld's attention to Brazil

The timing of this update that adds support for Brazilian banks is not a coincidence. Panda Banker, another Zeus banking trojan modification, has also received an update allowing it to target Brazilian banks.

"Cybercriminals are known to increase their efforts during sporting events, taking advantage of the rise in online activity and interest around the competition to lure users into opening malware spam and phishing pages," IBM's Limor Kessem explains.

Zeus variations are very popular today on the financial malware market. All variants put together take up 15 percent of the global attack volume involving banking trojans at this time.

Banking trojan global attacks
Banking trojan global attacks

Photo Gallery (2 Images)

Sphinx banking trojan targets Brazil
Banking trojan global attacks
Open gallery