ThreatMetrix, the fastest-growing provider of integrated cybercrime prevention solutions, announced today the release of its latest ThreatMetrix Labs report, “Zeus P2P Advancements and MitB Attack Vectors.” In April 2012, ThreatMetrix Labs came across a new variant of the peer-to-peer (P2P) version of the notorious Zeus Trojan. The latest report examines the sample and specific attack targets of this new variant.
ThreatMetrix Labs develops in-depth reports on the latest capabilities of malware that targets financial institutions, merchants and online businesses. The information gained from the report enables enterprises, financial institutions, credit unions, payment providers, government agencies, and security professionals to stay abreast of current and emerging online security threats.
One of the main changes to this new Zeus variant is the way it encrypts its configuration file – which make all automatic detection routines fail to recognize the Trojan.
“Today’s cybercriminals are rapidly evolving to surpass some of the most advanced malware and cybercrime automatic detection routines,” said Andreas Baumhof, chief technology officer, ThreatMetrix. “The latest Zeus variant catches victims off-guard by waiting to attack until after a website’s login page appears to be functioning normally. After the victim logs in, the Zeus Trojan attempts to steal confidential information.”
For the July 2012 ThreatMetrix Labs report, four specific cases of Zeus attacks were analyzed across a variety of industries, including social media, financial services, retail, and payment processors. Most of these cases involve minor – but sophisticated – changes to the website designed to steal confidential information. These changes are often unsusceptible, even to professionals.
Social Media Networks: Facebook and Gmail
Recently, social media platforms have shown increasing sophistication in monetizing their sites. Cybercriminals are seizing this opportunity to steal personal and financial information from registered users. They will initially see a “normal” login page, but once the username and password are entered, fraudulent pages appear asking for user credit card information.
Common scams include:
- Linking one’s debit card to their Facebook account, to transfer Facebook credits with ease
- Earn 20 percent cash back by linking one’s debit card with Facebook
- Join the brand new processing system created jointly with Verified by Visa, MasterCard SecureCode and Google Checkout.
- Linking one’s debit card with a Google account, in order to shop safely and securely at more than 3,000 stores online.
Financial Services: Major Credit Card Companies and Financial Institutions
The Zeus Trojan targets all major credit card company websites upon customer login. After a victim logs in, an intermediate page will appear, tricking the victim into disclosing personal and credit card information to the alleged fraudsters. A similar scenario exists after the login page and targets major financial institutions globally, especially those in the United Kingdom, U.S., Canada, Middle East, Italy, Germany, and Australia.
Retail: Major Department Stores
Online retailers are also a target for this new variant of the Zeus Trojan, with fraudsters attempting to steal customer information at the time of checkout. In an example analyzed by ThreatMetrix Labs, Zeus targets a major department store. In this instance, a pop-up window asks for the user’s loyalty card information at checkout, stating, “The card number you entered does not match our records. Please verify and make sure you re-enter the card information correctly.” Most consumers are unaware that the pop-up window is the result of cybercrime, and will proceed to re-enter the loyalty card information.
Electronic Payments: Online Payment Processors
The final industry analyzed by the latest ThreatMetrix Labs report is online payment processors. Much like the previous retail example, a pop-up window is shown asking to verify credit card information, this time during user login. The Zeus Trojan detects the user’s name and the pop-up window looks completely legitimate, stating “Hello, (name). In order to carry out higher security standards with our customers, we carry out selective personal information verification.” The user then enters credit card information and the fraudsters go so far as to verify on the next page that the information is correct. Once the information is entered, it is sent to a command and control (C&C) center, where cybercriminals compile all stolen data.
“What puts social media websites, financial institutions, online retailers, and payment processers at such high risk with this particular variant of the Zeus Trojan is that all of the fraudulent pages and windows described in the report appear legitimate to most users,” said Baumhof. “Pages include the branding and messaging typical to each of the industries the cybercriminals are targeting. They are even personalized with the victim’s name. To protect users and customers, all of these industries must realize how sophisticated today’s cybercriminals are and take proper steps to prevent these attacks.”
For more information, in-depth ThreatMetrix Labs reports are available upon request by organizations looking to gain a lead on the capabilities, enhancements and improvements being implemented into malicious software. To request an official report, please register at http://info.threatmetrix.com/ThreatMetrix-Labs-Subscribe.html. For a public copy of the report, visit http://threatmetrix.com/resource-center/threatmetrix-labs-reports/.