Last April ThreatMetrix™ Labs discovered Zeus had just thrown another malware Thunderbolt at enterprises. It came in the form of a new variant of the peer-to-peer (P2P) version of the Zeus Trojan. Based on this discovery, ThreatMetrix Labs, which develops in-depth reports on the latest capabilities of malware targeting financial institutions, merchants and other online businesses, just released an in-depth analysis report, “Zeus P2P Advancements and MitB Attack Vectors.”
This latest report, like others from ThreatMetrix Labs, is designed to help enterprises, financial institutions, credit unions, payment providers, government agencies, and security professionals stay current with emerging online security threats.
The report points out that one of the main changes to the new Zeus variant is the way it encrypts its configuration file, making it impossible for automatic detection routines to recognize.
Observes Andreas Baumhof, ThreatMetrix chief technology officer, “Today’s cybercriminals are rapidly evolving to surpass some of the most advanced malware and cybercrime automatic detection routines. The latest Zeus variant catches victims off-guard by waiting to attack until after a Website’s login page appears to be functioning normally. After the victim logs in, the Zeus Trojan attempts to steal confidential information.”
For this latest ThreatMetrix Labs report, four specific cases of Zeus attacks were analyzed across a variety of industries, including social media, financial services, retail, and payment processing. Most of the cases involved minor, but sophisticated Website changes designed to steal confidential information. And, the changes often went unnoticed even by professionals.
Social Media Networks: Facebook and Gmail
Social media platforms keep finding new, more sophisticated ways to monetize their sites. In the process, they’ve been providing cybercriminals new ways to monetize themselves by stealing personal and financial information. Registered users will initially see a “normal” login page. But once the username and password are entered, fraudulent pages appear asking for user credit card information. Common scams include:
• Linking a user’s debit card to a cybercriminal’s Facebook account to transfer Facebook credits.
• Earning 20 percent cash back by linking a debit card with Facebook
• Joining the brand new-processing system created jointly with Verified by Visa, MasterCard SecureCode and Google Checkout.
• Linking a debit card with a Google account to shop safely and securely at more than 3,000 stores online.
Financial Services: Major Credit Card Companies and Financial Institutions
The Zeus Trojan targets all major credit card company Websites upon customer login. After a victim logs in, an intermediate page appears tricking the victim into disclosing personal and credit card information to the cybercriminal. A similar scenario exists after the login page and targets major financial institutions in the United Kingdom, U.S., Canada, the Middle East, Italy, Germany, and Australia.
Retail: Major Department Stores
Using the new variant of the Zeus Trojan, cybercriminals steal customer information at checkout. In an example analyzed by ThreatMetrix Labs, Zeus targets a major department store through a pop-up window at checkout which informs the user, “The card number you entered does not match our records. Please verify and make sure you re-enter the card information correctly.” Most consumers are unaware that the pop-up window was put there by a cybercriminal, and will proceed to re-enter loyalty card information.
Electronic Payments: Online Payment Processors
The final industry analyzed by the latest ThreatMetrix Labs report is online payment processors. Much like the previous retail example, a pop-up window is shown asking to verify credit card information, this time during user login. The Zeus Trojan detects the user’s name and the pop-up window, which appears completely legitimate, says, “Hello, (name). In order to carry out higher security standards with our customers, we carry out selective personal information verification.” The user then enters credit card information with the cybercriminal, going so far as to verify on the next page that the information is correct. Once the information is entered, it is sent to a command and control (C&C) center, where cybercriminals compile the stolen data.
“What puts social media websites, financial institutions, online retailers, and payment processors at such high risk with this particular variant of the Zeus Trojan is that all of the fraudulent pages and windows described in the report appear legitimate to most users,” said Baumhof. “Pages include the branding and messaging typical to each of the industries the cybercriminals are targeting. They are even personalized with the victim’s name. To protect users and customers, all of these industries must realize how sophisticated today’s cybercriminals are and take proper steps to prevent these attacks.”
For more information, in-depth ThreatMetrix Labs reports are available upon request by organizations looking to gain a lead on the capabilities, enhancements and improvements being implemented into malicious software. To request an official report, please register at http://info.threatmetrix.com/ThreatMetrix-Labs-Subscribe.html. For a public copy of the report, visit http://threatmetrix.com/resource-center/threatmetrix-labs-reports/.