Digital Identity Blog

Thought leadership for cybersecurity, fraud and digital channel professionals

Oh God Not Him Again. New More Sophisticated Zeus Is After SaaS Apps and Salesforce Accounts.

By ThreatMetrix
ThreatMetrix®, The Digital Identity Company®, is the market-leading cloud solution for authenticating digital personas and transactions on the Internet. Verifying more than 20 billion annual transactions supporting 30,000 websites and 4,000 customers globally through the ThreatMetrix Digital Identity Network®, ThreatMetrix secures businesses and end users against account takeover, payment fraud and fraudulent account registrations resulting from malware and data breaches.
Follow ThreatMetrix ThreatMetrix's Most Recent Posts:

The original Zeus used lightning bolts. The bank Trojan Zeus uses malicious keystroke logging and steals banking credentials. This newest Zeus version uses web-crawling action to target software-as-a-service (SaaS) apps to access proprietary data or code.

Swati Khandelwal on the reports that one SaaS security firm vendor detected a malware campaign against a customer. It started as an attack on an employee’s home computer. Using its web crawling ability, Zeus grabbed sensitive data from the customer’s CRM instance.

The attack was detected when the security company saw about 2GB of data downloaded to the victim’s computer in less than 10 minutes. While Zeus normally hijacks a user session to perform wire transactions, this latest version crawls the site and creates a real-time copy of a user’s instance that has all the information from his/her company account.

Security professional Ami Luttwak said of the attack “This looks like a targeted attack against the company, cleverly targeting the employee home instead of the enterprise – thus bypassing the company controls. This was probably just the first step, using the Zeus Web inject capabilities they could have used the same tactics as in the banking sites attacks and ask the user to enter more information regarding his company credentials or send out messages in his name.”

Khandelwal notes that previously the FBI has warned companies about the GameOver banking Trojan, a Zeus variant aimed at spreading financial malware through phishing emails. Once installed, it carries out DDoS (Distributed Denial of Service) attacks using a botnet and flooding the targeted financial institution’s server with traffic.

Earlier this year, security researcher Gary Warner described a new variant of GameOver Zeus malware that used Encryption to bypass perimeter security.

It allowed attackers to bypass traditional security measures used by and other SaaS apps and have Zeus grab loads of business data and customer information.

How computers are infected in the first place and who is behind the attacks is still not known.

By ThreatMetrix Posted