Digital Identity Blog

Thought leadership for cybersecurity, fraud and digital channel professionals

ThreatMetrix Labs Reports New Zeus Malware Strain Intensifies Risks for Social Media, Financial Services, Retail, and Payment Processer Industries

By ThreatMetrix
ThreatMetrix®, The Digital Identity Company®, is the market-leading cloud solution for authenticating digital personas and transactions on the Internet. Verifying more than 20 billion annual transactions supporting 30,000 websites and 4,000 customers globally through the ThreatMetrix Digital Identity Network®, ThreatMetrix secures businesses and end users against account takeover, payment fraud and fraudulent account registrations resulting from malware and data breaches.
Follow ThreatMetrix ThreatMetrix's Most Recent Posts:

Last April ThreatMetrix™ Labs discovered Zeus had just thrown another malware Thunderbolt at enterprises. It came in the form of a new variant of the peer-to-peer (P2P) version of the Zeus Trojan. Based on this discovery, ThreatMetrix Labs, which develops in-depth reports on the latest capabilities of malware targeting financial institutions, merchants and other online businesses, just released an in-depth analysis report, “Zeus P2P Advancements and MitB Attack Vectors.”

This latest report, like others from ThreatMetrix Labs, is designed to help enterprises, financial institutions, credit unions, payment providers, government agencies, and security professionals stay current with emerging online security threats.

The report points out that one of the main changes to the new Zeus variant is the way it encrypts its configuration file, making it impossible for automatic detection routines to recognize.

Observes Andreas Baumhof, ThreatMetrix chief technology officer, “Today’s cybercriminals are rapidly evolving to surpass some of the most advanced malware and cybercrime automatic detection routines. The latest Zeus variant catches victims off-guard by waiting to attack until after a Website’s login page appears to be functioning normally. After the victim logs in, the Zeus Trojan attempts to steal confidential information.”

For this latest ThreatMetrix Labs report, four specific cases of Zeus attacks were analyzed across a variety of industries, including social media, financial services, retail, and payment processing. Most of the cases involved minor, but sophisticated Website changes designed to steal confidential information. And, the changes often went unnoticed even by professionals.

Social Media Networks: Facebook and Gmail

Social media platforms keep finding new, more sophisticated ways to monetize their sites. In the process, they’ve been providing cybercriminals new ways to monetize themselves by stealing personal and financial information. Registered users will initially see a “normal” login page. But once the username and password are entered, fraudulent pages appear asking for user credit card information. Common scams include:

• Linking a user’s debit card to a cybercriminal’s Facebook account to transfer Facebook credits.

• Earning 20 percent cash back by linking a debit card with Facebook

• Joining the brand new-processing system created jointly with Verified by Visa, MasterCard SecureCode and Google Checkout.

• Linking a debit card with a Google account to shop safely and securely at more than 3,000 stores online.

Financial Services: Major Credit Card Companies and Financial Institutions

The Zeus Trojan targets all major credit card company Websites upon customer login. After a victim logs in, an intermediate page appears tricking the victim into disclosing personal and credit card information to the cybercriminal. A similar scenario exists after the login page and targets major financial institutions in the United Kingdom, U.S., Canada, the Middle East, Italy, Germany, and Australia.

Also featured in the ThreatMetrix Labs report is an attack targeting Italian banks. A malicious JavaScript is used to adjust account balances so victims are unaware money has been stolen. The script can also disable functionality in the banking application, preventing a user access to pages that would show his/her account has been compromised.

Retail: Major Department Stores

Using the new variant of the Zeus Trojan, cybercriminals steal customer information at checkout. In an example analyzed by ThreatMetrix Labs, Zeus targets a major department store through a pop-up window at checkout which informs the user, “The card number you entered does not match our records. Please verify and make sure you re-enter the card information correctly.” Most consumers are unaware that the pop-up window was put there by a cybercriminal, and will proceed to re-enter loyalty card information.

Electronic Payments: Online Payment Processors

The final industry analyzed by the latest ThreatMetrix Labs report is online payment processors. Much like the previous retail example, a pop-up window is shown asking to verify credit card information, this time during user login. The Zeus Trojan detects the user’s name and the pop-up window, which appears completely legitimate, says, “Hello, (name). In order to carry out higher security standards with our customers, we carry out selective personal information verification.” The user then enters credit card information with the cybercriminal, going so far as to verify on the next page that the information is correct. Once the information is entered, it is sent to a command and control (C&C) center, where cybercriminals compile the stolen data.

“What puts social media websites, financial institutions, online retailers, and payment processors at such high risk with this particular variant of the Zeus Trojan is that all of the fraudulent pages and windows described in the report appear legitimate to most users,” said Baumhof. “Pages include the branding and messaging typical to each of the industries the cybercriminals are targeting. They are even personalized with the victim’s name. To protect users and customers, all of these industries must realize how sophisticated today’s cybercriminals are and take proper steps to prevent these attacks.”

For more information, in-depth ThreatMetrix Labs reports are available upon request by organizations looking to gain a lead on the capabilities, enhancements and improvements being implemented into malicious software. To request an official report, please register at For a public copy of the report, visit

By ThreatMetrix Posted