Attacks/Breaches
6/5/2013
03:16 PM
Connect Directly
RSS
E-Mail
50%
50%

Zeus Bank Malware Surges On Facebook

Old threat makes a comeback, targeting Facebook users' bank credentials and more.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
Zeus malware, long popular with the cybercrime underground, has seen a resurgence in the first half of 2013, becoming a weapon of choice for attacks distributed via spam emails as well as social networks such as Facebook.

That finding comes from security firm Trend Micro, which has reported seeing a spike in attempted Zeus Trojan application infections beginning in February 2013 and peaking in May. Zeus malware targets personal and financial data stored on Windows PCs and is controlled via a "Zbot" botnet.

"Old threats like Zbot can always make a comeback because cybercriminals profit from these," said Jay Yaneza, senior technical manager at Trend Micro, in a blog post. "Peddling stolen banking and other personal information from users is a lucrative business in the underground market. Plus, these crooks can use your login credentials to initiate transactions in your account without your consent."

[ Want some good Facebook security news? Read Google, Facebook Told U.K.: We Won't Be Snoops. ]

Zeus also can press infected PCs into service as nodes in a botnet composed of similar "zombie" PCs. Such botnets might comprise hundreds or thousands of systems and be tapped by attackers -- or rented out -- to serve as spam email relays or malware attack launch pads, or to generate distributed denial-of-service (DDoS) attacks.

Not all Zeus infections stem from spam emails. Criminal gangs also regularly post links to malicious websites that launch drive-by attacks that result in Zeus installations. Recent attack campaigns have involved links on supposed NFL fan pages on Facebook, as well as e-commerce sites selling fake Nike shoes, according to Eric Feinberg, founder of the advocacy group Fans Against Kounterfeit Enterprise (FAKE).

"If you really want to hack someone, the easiest place to start is a fake Facebook profile -- it's so simple, it's stupid," Feinberg told The New York Times.

According to Trend Micro, the recent spike in Zeus activity has largely involved two variants of the malware: Citadel, which first appeared in 2011 and is apparently the brainchild of Russian and Ukrainian programmers who worked with source code published by Zeus' developer; and Gameover, which is designed to steal bank and credit card details and has been distributed via massive spam campaigns.

Zeus first shot to cybercrime fame in 2006, gaining notoriety as king of automated attack toolkits. Subsequent versions of the malware have continued to add features and functionality. The Zitmo variant, for example, was adapted in 2011 to target Android mobile devices and steal the one-time passwords -- known as mobile transaction authentication numbers (mTANs) -- used by many banks.

As of 2010, a basic version of Zeus was fetching $3,000, although add-ons could boost the purchase price to above $10,000. As those prices suggest, Zeus attacks can be lucrative. For example, the Eurograbber campaign, discovered last year, used Zeus malware to steal an estimated $47 million from more than 30,000 corporate and private banking customers across Europe.

Many different, unconnected Zeus botnets are typically running at any given time. The Zeus Tracker project, for example, which counts Zeus command-and-control (C&C) servers, currently reports that it's tracking 800 such servers. But related malware variants used by the attackers are detected by antivirus software only about 38% of the time. That low detection rate is typically due to the malware being polymorphic, meaning that the attack code is regularly repackaged so that it remains functionally equivalent but doesn't match known-file signatures.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1032
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in the Euroling SiteSeeker module 3.x before 3.4.5 for EPiServer allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party inf...

CVE-2012-1417
Published: 2014-09-17
Multiple cross-site scripting (XSS) vulnerabilities in Local Phone book and Blacklist form in Yealink VOIP Phones allow remote authenticated users to inject arbitrary web script or HTML via the user field to cgi-bin/ConfigManApp.com.

CVE-2012-1506
Published: 2014-09-17
SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php. NOTE: some of these details are obtained from th...

CVE-2012-1507
Published: 2014-09-17
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3) uri parameter to index...

CVE-2012-2583
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in Mini Mail Dashboard Widget plugin 1.42 for WordPress allows remote attackers to inject arbitrary web script or HTML via the body of an email.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant