Attacks/Breaches
12/9/2010
12:10 PM
50%
50%

Zeus Botnet Targeting Retailer Credit Cards

Macy's and Nordstrom cardholders are now at risk from financial malware's latest social engineering attack.

How Firesheep Can Hijack Web Sessions
(click image for larger view)
Slideshow: How Firesheep Can Hijack Web Sessions
Just in time for the holidays, the Zeus botnet toolkit has gotten an upgrade: it now has the ability to target large retailers' credit card users' accounts.

That warning was issued on Wednesday by Amit Klein, CTO of data security firm Trusteer. "Our research group recently discovered a Zeus botnet that is targeting credit card accounts of major U.S. retailers including Macy's and Nordstrom just as the holiday gift buying season is in full swing," he said in a blog post.

Klein said the new capabilities are built into Zeus 2.1.0.8 -- the latest version -- and appear designed to steal people's credit card details so criminals can conduct "card not present" (CNP) transactions. Merchants must typically foot the bill for any CNP fraud that occurs on their cards, thus many have invested substantial resources into detecting fraudulent transactions.

Accordingly, the Zeus malware now takes additional steps to circumvent anti-fraud measures. "The attack we discovered uses social engineering to gather additional information beyond the credit card number that will make it easier for the criminal to bypass fraud detection measures used to investigate suspicious transactions," said Klein.

In particular, Zeus can inject a seemingly legitimate "man-in-the-middle pop-up," he said, which requests the user's credit card number -- for Macy's or Nordstrom, as appropriate -- as well as card expiration date, CVV security code, social security number, mother's maiden name, and date of birth. After entering the information, users hit a button that says "verify." Of course, nothing is being verified; the information is being recorded by Zeus and funneled to the criminals behind this operation.

This latest attack highlights the challenge faced by merchants, as well as security firms, of trying to keep pace with rapidly evolving financial malware. Indeed, the emergence of inexpensive financial malware such as Zeus -- apparently available for as little as $3,000 on the black market, though customizing it with other capabilities can easily add another $10,000 -- means that criminals without computer expertise now have access to cheap botnets and automated attack toolkits.

Interestingly, the new capabilities come in the wake of October's reported announcement that the creator of Zeus, feeling the heat, was going to retire. Security experts say they're not holding their breath.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Darn - typed UNICORN instead of UNICODE.  
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.