Zeus malware strain infecting 1 in 50 PCs

ThreatMetrix Labs came across a new variant of the P2P version of the Zeus Trojan. One of the main changes to this variant is the way it encrypts its configuration file – which make all automatic detection routines fail to recognize the Trojan.

“Today’s cybercriminals are rapidly evolving to surpass some of the most advanced malware and cybercrime automatic detection routines,” said Andreas Baumhof, CTO at ThreatMetrix. “The latest Zeus variant catches victims off-guard by waiting to attack until after a website’s login page appears to be functioning normally. After the victim logs in, the Zeus Trojan attempts to steal confidential information.”

ThreatMetrix Labs analyzed four specific cases of Zeus attacks across a variety of industries, including social media, financial services, retail, and payment processors. Most of these cases involve minor – but sophisticated – changes to the website designed to steal confidential information. These changes are often unsusceptible, even to professionals.

Facebook and Gmail

Recently, social media platforms have shown increasing sophistication in monetizing their sites. Cybercriminals are seizing this opportunity to steal personal and financial information from registered users. They will initially see a “normal” login page, but once the username and password are entered, fraudulent pages appear asking for user credit card information.

Common scams include:

• Linking one’s debit card to their Facebook account, to transfer Facebook credits with ease
• Earn 20 percent cash back by linking one’s debit card with Facebook
• Join the brand new processing system created jointly with Verified by Visa, MasterCard SecureCode and Google Checkout.
• Linking one’s debit card with a Google account, in order to shop safely and securely at more than 3,000 stores online.

Financial services

The Zeus Trojan targets all major credit card company websites upon customer login. After a victim logs in, an intermediate page will appear, tricking the victim into disclosing personal and credit card information to the alleged fraudsters.

A similar scenario exists after the login page and targets major financial institutions globally, especially those in the United Kingdom, U.S., Canada, Middle East, Italy, Germany, and Australia.

Another attack on financial institutions that is featured in the report targets Italian banks. In this case, a malicious JavaScript is used to adjust account balances so victims are unaware money has been stolen from their accounts. The script can also disable functionality in the banking application, preventing users’ access to pages that would show their account has been compromised.

Major department stores

Online retailers are also a target for this new variant of the Zeus Trojan, with fraudsters attempting to steal customer information at the time of checkout. In an example analyzed by ThreatMetrix Labs, Zeus targets a major department store. In this instance, a pop-up window asks for the user’s loyalty card information at checkout, stating, “The card number you entered does not match our records. Please verify and make sure you re-enter the card information correctly.” Most consumers are unaware that the pop-up window is the result of cybercrime, and will proceed to re-enter the loyalty card information.

Electronic payments

The final industry analyzed by the latest ThreatMetrix Labs report is online payment processors. Much like the previous retail example, a pop-up window is shown asking to verify credit card information, this time during user login. The Zeus Trojan detects the user’s name and the pop-up window looks completely legitimate, stating “Hello, (name).

In order to carry out higher security standards with our customers, we carry out selective personal information verification.” The user then enters credit card information and the fraudsters go so far as to verify on the next page that the information is correct. Once the information is entered, it is sent to a command and control (C&C) center, where cybercriminals compile all stolen data.

“What puts social media websites, financial institutions, online retailers, and payment processers at such high risk with this particular variant of the Zeus Trojan is that all of the fraudulent pages and windows described in the report appear legitimate to most users,” said Baumhof.

“Pages include the branding and messaging typical to each of the industries the cybercriminals are targeting. They are even personalized with the victim’s name. To protect users and customers, all of these industries must realize how sophisticated today’s cybercriminals are and take proper steps to prevent these attacks,” he added.