Oh God Not Him Again. New More Sophisticated Zeus Is After SaaS Apps and Salesforce Accounts.

Posted on March 3rd, 2014 by Dan Rampe

 

Zeus

The original Zeus used lightning bolts. The bank Trojan Zeus uses malicious keystroke logging and steals banking credentials. This newest Zeus version uses web-crawling action to target software-as-a-service (SaaS) apps to access proprietary data or code.

Swati Khandelwal on the hackernews.com reports that one SaaS security firm vendor detected a malware campaign against a Salesforce.com customer. It started as an attack on an employee’s home computer. Using its web crawling ability, Zeus grabbed sensitive data from the customer’s CRM instance.

The attack was detected when the security company saw about 2GB of data downloaded to the victim’s computer in less than 10 minutes. While Zeus normally hijacks a user session to perform wire transactions, this latest version crawls the site and creates a real-time copy of a user’s Salesforce.com instance that has all the information from his/her company account.

Security professional Ami Luttwak said of the attack “This looks like a targeted attack against the company, cleverly targeting the employee home instead of the enterprise – thus bypassing the company controls. This was probably just the first step, using the Zeus Web inject capabilities they could have used the same tactics as in the banking sites attacks and ask the user to enter more information regarding his company credentials or send out messages in his name.”

Khandelwal notes that previously the FBI has warned companies about the GameOver banking Trojan, a Zeus variant aimed at spreading financial malware through phishing emails. Once installed, it carries out DDoS (Distributed Denial of Service) attacks using a botnet and flooding the targeted financial institution’s server with traffic.

Earlier this year, security researcher Gary Warner described a new variant of GameOver Zeus malware that used Encryption to bypass perimeter security.

It allowed attackers to bypass traditional security measures used by Salesforce.com and other SaaS apps and have Zeus grab loads of business data and customer information.

How computers are infected in the first place and who is behind the attacks is still not known.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix™ Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.