ThreatMetrix US Patents Press Releases

New Strain of Zeus Malware Puts Social Media, Financial Services, Retail, and Payment Processer Industries at High Risk for Cybercrime

Posted June 26, 2012

ThreatMetrix Labs Report Analyzes Recently Identified Variant of the Notorious Zeus Trojan

San Jose, CA – June 26, 2012 – ThreatMetrix™, the fastest-growing provider of integrated cybercrime prevention solutions, announced today the release of its latest ThreatMetrix™ Labs report, “Zeus P2P Advancements and MitB Attack Vectors.” In April 2012, ThreatMetrix Labs came across a new variant of the peer-to-peer (P2P) version of the notorious Zeus Trojan. The latest report examines the sample and specific attack targets of this new variant.

ThreatMetrix Labs develops in-depth reports on the latest capabilities of malware that targets financial institutions, merchants and online businesses. The information gained from the report enables enterprises, financial institutions, credit unions, payment providers, government agencies, and security professionals to stay abreast of current and emerging online security threats.

One of the main changes to this new Zeus variant is the way it encrypts its configuration file – which make all automatic detection routines fail to recognize the Trojan.

“Today’s cybercriminals are rapidly evolving to surpass some of the most advanced malware and cybercrime automatic detection routines,” said Andreas Baumhof, chief technology officer, ThreatMetrix. “The latest Zeus variant catches victims off-guard by waiting to attack until after a website’s login page appears to be functioning normally. After the victim logs in, the Zeus Trojan attempts to steal confidential information.”

For the July 2012 ThreatMetrix Labs report, four specific cases of Zeus attacks were analyzed across a variety of industries, including social media, financial services, retail, and payment processors. Most of these cases involve minor – but sophisticated – changes to the website designed to steal confidential information. These changes are often unsusceptible, even to professionals.

Social Media Networks: Facebook and Gmail

Recently, social media platforms have shown increasing sophistication in monetizing their sites. Cybercriminals are seizing this opportunity to steal personal and financial information from registered users. They will initially see a “normal” login page, but once the username and password are entered, fraudulent pages appear asking for user credit card information. Common credit card scams include:

• Linking one’s debit card to their Facebook account, to transfer Facebook credits with ease

• Earn 20 percent cash back by linking one’s debit card with Facebook

• Join the brand new processing system created jointly with Verified by Visa, MasterCard SecureCode and Google Checkout.

• Linking one’s debit card with a Google account, in order to shop safely and securely at more than 3,000 stores online.

Financial Services: Major Credit Card Companies and Financial Institutions

The Zeus Trojan targets all major credit card company websites upon customer login. After a victim logs in, an intermediate page will appear, tricking the victim into disclosing personal and credit card information to the alleged fraudsters. A similar scenario exists after the login page and targets major financial institutions globally, especially those in the United Kingdom, U.S., Canada, Middle East, Italy, Germany, and Australia.

Another attack on financial institutions that is featured in the report targets Italian banks. In this case, a malicious JavaScript is used to adjust account balances so victims are unaware money has been stolen from their accounts. The script can also disable functionality in the banking application, preventing users’ access to pages that would show their account has been compromised.

Retail: Major Department Stores

Online retailers are also a target for this new variant of the Zeus Trojan, with fraudsters attempting to steal customer information at the time of checkout. In an example analyzed by ThreatMetrix Labs, Zeus targets a major department store. In this instance, a pop-up window asks for the user’s loyalty card information at checkout, stating, “The card number you entered does not match our records. Please verify and make sure you re-enter the card information correctly.” Most consumers are unaware that the pop-up window is the result of cybercrime, and will proceed to re-enter the loyalty card information.

Electronic Payments: Online Payment Processors

The final industry analyzed by the latest ThreatMetrix Labs report is online payment processors. Much like the previous retail example, a pop-up window is shown asking to verify credit card information, this time during user login. The Zeus Trojan detects the user’s name and the pop-up window looks completely legitimate, stating “Hello, (name). In order to carry out higher security standards with our customers, we carry out selective personal information verification.” The user then enters credit card information and the fraudsters go so far as to verify on the next page that the information is correct. Once the information is entered, it is sent to a command and control (C&C) center, where cybercriminals compile all stolen data.

“What puts social media websites, financial institutions, online retailers, and payment processers at such high risk with this particular variant of the Zeus Trojan is that all of the fraudulent pages and windows described in the report appear legitimate to most users,” said Baumhof. “Pages include the branding and messaging typical to each of the industries the cybercriminals are targeting. They are even personalized with the victim’s name. To protect users and customers, all of these industries must realize how sophisticated today’s cybercriminals are and take proper steps to prevent these attacks.”

For more information, in-depth ThreatMetrix Labs reports are available upon request by organizations looking to gain a lead on the capabilities, enhancements and improvements being implemented into malicious software. To request an official report, please register at For a public copy of the report, visit .

About ThreatMetrix

ThreatMetrix®, The Digital Identity Company®, is the market-leading cloud solution for authenticating digital personas and transactions on the Internet. Verifying more than 20 billion annual transactions supporting 30,000 websites and 4,000 customers globally through the ThreatMetrix Digital Identity Network®, ThreatMetrix secures businesses and end users against account takeover, payment fraud and fraudulent account registrations resulting from malware and data breaches. Key benefits include an improved customer experience, reduced friction, revenue gain and lower fraud and operational costs. The ThreatMetrix solution is deployed across a variety of industries, including financial services, e-commerce, payments and lending, media, government and insurance.

For more information, visit or call 1-408-200-5755. Join the cybersecurity conversation by visiting the ThreatMetrix blog, Twitter, LinkedIn and Facebook pages.

© 2016 ThreatMetrix. All rights reserved. ThreatMetrix and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.


Media Contacts:

Dan Rampe
Tel: 408-200-5716

Meghan Reilly
Walker Sands Communications
Tel: 312-445-9926


close btn