Zeus Trojan hitting banking customers hard

By Marcia Savage, Features Editor, Information Security magazine 08 Sep 2009 | SearchFinancialSecurity.com

Digg This!     StumbleUpon     Del.icio.us

A Trojan that steals online banking credentials is proving to be a particularly insidious and successful piece of malware, according to security experts.

Zeus is the "biggest banking Trojan out there," Laura Mather, co-founder and vice president of marketing at Palo Alto, Calif.-based fraud prevention company Silver Tail Systems said during a recent company webcast. "It's the nastiest, most sophisticated Trojan I've ever seen. It's a money-stealing machine."

Also called Zbot, Zeus and its variants surfaced last year but began trying to infect machines at a steady clip this spring, said Ben Greenbaum, senior manager in the security response unit at Symantec Corp. The malware is easy to configure and widely available on the Internet, with prices ranging from a couple hundred dollars to free, he added.

"Zeus is unusual in the level of success it's achieved. It's more widespread than most," he said. "It combines the best-of-breed features of other crimeware packages into one easy-to-use software suite, so to speak."

About 1.6 million infected machines make up hundreds of Zeus botnets, which target 960 banks, Mather said. Criminals have wreaked a lot of havoc with the bank Trojan's advanced capabilities, she said, citing a case reported by the Washington Post, in which cybercriminals stole $415,000 from Bullitt County, Ky., where Zeus infected the county treasurer's computer.

Mather, managing director of operational policy for the Anti-Phishing Working Group and a former director of fraud prevention at eBay Inc., said the malware can be customized to gather credentials from banks in specific geographic areas and has various means of distribution, including email attachments and malicious Web links. Once it infects a machine, it typically sits dormant, springing to life when the user visits a webpage with a form to fill out.

The Zeus Trojan has a capability that allows criminals to add fields to the form, such as fields for additional authentication information for a bank website; those credentials are sent back to the criminal, she said. Fraudsters also can alter the display to fool users into thinking all their money is still in their account.

The way Zeus alters a form on a genuine bank website as it's displayed on the victim's computer -- instead of showing an entirely fake banking website -- is one of its most powerful features and sets it apart from other banking Trojans, said Richard Wang, manager of the U.S. research labs at Sophos Plc.

"What versions of Zeus might do is see that page as it's being displayed, and at the browser level instead of at the bank level, add an extra box that might ask for your Social Security number," he said. "It looks like the bank has changed its login procedure."

Wang said Zeus is not just a single Trojan, but a toolkit that allows criminals to build their own Trojans that have added functionality. "It allows someone who doesn't have the technical skills to just buy the technology they need to do the banking data theft," he said.

One new Zeus Trojan functionality allows criminals to quickly use stolen credentials, and in some cases, circumvent two-factor authentication. In studying several Zeus variants, researchers at RSA, the security division of Hopkinton, Mass.-based EMC, recently discovered that some criminals were using the Jabber instant messaging open protocol in order to receive stolen information as soon as it was collected from infected computers. The first Jabber IM module RSA researchers studied was configured to extract credentials from users of a single U.S.-based financial institution; another was used by a criminal to target user credentials at five institutions, researchers wrote in a blog post.

"Real-time notification can further online criminals' goals in some cases when certain variations of man-in-the-middle (MITM) or man-in-the-browser (MITB) attacks are launched," RSA researchers wrote. "With such attacks, the online criminal may be acting in real-time as their intended victim logs in to his or her account."

The technique is nothing new, but seems to be gaining popularity, they added.

Symantec's Greenbaum noted that the Zeus Trojan targets more than banking credentials; criminals also are looking to steal social networking site logins and gaming site credentials. Also, Zeus isn't just a bank Trojan, Sophos' Wang said. The malware is used to create "full-featured botnets" that like other botnets, can be used to send spam, launch denial-of-service attacks, and provide hosting services for malicious websites.

The best tactic banks can take against the malware is to educate their customers about computer security, Wang said: "It is very much about user education and making sure people are using good security practices and that they have security software installed and kept up to date."

In a recent interview, Michael Benardo, chief of the cyber fraud and financial crimes section at the Federal Deposit Insurance Corporation, advised banks to help educate their business customers about PC security in light of the increase in fraudulent wire and ACH transfers . Most of the fraudulent electronic funds transfers (EFTs) involved business customers whose online banking credentials were compromised by criminals using Trojans, keyloggers and other spoofing techniques, the FDIC said.

RSA researchers said online security isn't limited to user credentials, although one-time passwords are still an effective layer of protection.

"In order to fight these threats, organizations should adopt multi-layered online security techniques, such as those that shut down Trojan attacks or authenticate users based on their distinct computer profiles and locations," they wrote.

Tags: Data breaches and prevention strategies,  Emerging security threats and attacks,  Spam, phishing and social engineering attacks,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data breaches and prevention strategies Bank computer technician indicted in identity theft scheme Survey: Consumers don't trust banks to keep their data secure ChoicePoint settles with FTC over second data security breach Data breach lawsuit puts spotlight on bank's security measures Google ordered to deactivate Gmail account after bank email error Threat of insider fraud growing with bad economy Data breach protection: Implementing vendor breach safeguards TJX settles with banks for $525,000 RBS WorldPay agrees to market VeriFone end-to-end encryption Programmer accused of stealing proprietary code from financial firm Emerging security threats and attacks UK police arrest two in connection with Zeus Trojan Fraudulent emails pretend to be from NACHA Four hackers indicted in RBS WorldPay breach ACH fraud scams total $100 million, FBI says FDIC warns of rise in "money mule" schemes FDIC warns of bogus emails Bank Trojan used against German accounts evades antifraud systems Wyoming bank sues Google after bank employee email mishap California man sentenced in online brokerage scam FDIC: Educate business customers about the need for security Spam, phishing and social engineering attacks Judge rejects TD Ameritrade breach settlement FDIC warns of bogus emails Two Romanians suspected in phishing scheme extradited to U.S. Social engineering tests should make sense, not headlines Five considerations for choosing network access control products Proposed expansion of top-level domains generates security concerns Online scammers exploit bank brands and consumers' financial woes BITS releases guide for implementing email authentication protocols Banks using Twitter need to proceed with caution, experts say Financial fraud affects consumer bank behavior, Gartner finds

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Governance, Risk and Compliance  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary