Security researchers from Kaspersky have profiled a new SpyEye plugin known as flashcamcontrol.dll.
What does it do? Basically, it modifies an infected host's Flash permissions, allowing cybercriminals the opportunity to control and webcam and the microphone of the infected victims.
If an infected user visits the site of a specified bank and the browser processing the page requests a flash-document via a link from the first column, the webfakes.dll plugin (which runs in a browser context) detects that request and replaces it with an address from the second column – an address controlled by the intruders. As a result, the browser will load a malicious document from the intruder’s server (statistiktop.com) instead of a flash document from the bank site.
It turned out that both flash documents merely create a window with a picture from the webcam. One of them sends a video stream to the intruder’s server.
It appears that someone is experimenting, with long-term ambitions on their mind. Face recognition for online banking as a concept has been around for years, however, financial institutions globally have failed to implement the solution on a large scale. Personally, I believe that facial recognition as a value-added protection mechanism is a futile attempt to prevent a successful crimeware attack on the infected host.
Taking into consideration the fact that on the majority of occasions users don't know that they're infected with crimeware, a visual representation of the fact that a particular end user is indeed in front of the computer wouldn't change this. And now cybercriminals have developed an efficient way to undermine the facial recognition process with ease.
This latest development once again proves that cybercriminals are steps ahead of the security industry, and will continue to innovate in an attempt to increase their fraudulently obtained revenues.