Vulnerabilities / Threats

7/14/2010
03:51 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Trusteer Warns That Trojan Targets Banks Using Verified By Visa Program

Zeus financial crimeware platform is targeting online banking customers of 15 leading U.S. financial institutions

NEW YORK, July 14, 2010 -Trusteer, the leading provider of secure browsing services, today announced that the Zeus (Zbot) financial malware is targeting online banking customers of 15 leading US financial institutions by exploiting two trusted credit card security programs. After users have initiated a secure online banking session, the Zeus Trojan injects into the browser a facsimile of the familiar Verified by Visa and MasterCard SecureCode enrollment screen. It then prompts users to enter their social security number, credit or debit card number, expiration date, and PIN or CSV code. For a sample of the fake enrollment screen, see: http://www.trusteer.com/sites/default/files/ZeusVisaMastercardFraud.jpg

The information gathered by Zeus is used by fraudsters to commit 'card not present' transactions with retailers that employ Verified by Visa and SecureCode protection. This stolen data allows criminals to impersonate their victims and register with these programs to ensure fraudulent transactions elude fraud detection systems.

Trusteer used its Flashlight remote fraud investigation and mitigation service to discover this new in-session phishing attack, and collect Zeus configurations and code samples from infected computers. This version of Zeus attempts to trick online banking customers into surrendering their personal and credit/debit card data by claiming new FDIC rules require that they enroll in the Verified by Visa / MasterCard SecureCode program to protect their accounts.

"While some users may become suspicious when prompted to enter their credit/debit card information as part of the online banking login process, this attack uses the familiar Visa and MasterCard online fraud prevention programs to make the request appear legitimate," said Amit Klein, CTO of Trusteer and head of the company's research organization. "Fortunately, online banking customers protected by Trusteer Rapport are not vulnerable to this attack since it blocks HTML injection and prevents Zeus from presenting the fraudulent enrollment request."

The Internet's Leading Banking Trojan

Zeus, which is also known as Zbot, WSNPOEM, NTOS and PRG, is the most prevalent banking malware platform for online fraud, and has been licensed by numerous criminal organizations. It infects PCs, waits for the user to log onto a list of targeted banks and financial institutions, and then steals their credentials which are sent to a remote server in real time. It can also modify, in a user's browser, the genuine web pages from a bank's web servers to ask for personal information such as payment card number and PIN, one time passwords, etc.

Anti malware detection of Zeus has a poor track record. In a 2009 report based on information gathered from 3 million desktops in North America and the UK Trusteer found that the majority of Zeus infections occur on antivirus protected machines. Specifically, Trusteer found that among Zeus infected machines 55% had up-to-date Antivirus protection installed. The population of machines infected with Zeus is enormous -- one in every 100 computers according to Trusteer research.

About Trusteer

Trusteer, the world's leading provider of secure browsing services, helps prevent financial malware attacks through its Rapport and Flashlight services. Trusteer Rapport enables banks and online businesses to protect sensitive data such as account holder credentials from malware by locking down the browser and creating a tunnel for safe communication between the web site and customers' machines. It also prevents phishing by validating site authenticity. Trusteer Flashlight allows remote, effective, and instant investigation of malware-related fraud incidents. Trusteer's solutions are used by more than 60 leading financial organizations in North America and Europe and by more than 7 million of their customers. Trusteer is a privately held corporation led by former executives from RSA Security, Imperva, and Juniper. For more information visit www.trusteer.com.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11378
PUBLISHED: 2019-04-20
An issue was discovered in ProjectSend r1053. upload-process-form.php allows finished_files[]=../ directory traversal. It is possible for users to read arbitrary files and (potentially) access the supporting database, delete arbitrary files, access user passwords, or run arbitrary code.
CVE-2019-11372
PUBLISHED: 2019-04-20
An out-of-bounds read in MediaInfoLib::File__Tags_Helper::Synched_Test in Tag/File__Tags.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11373
PUBLISHED: 2019-04-20
An out-of-bounds read in File__Analyze::Get_L8 in File__Analyze_Buffer.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11374
PUBLISHED: 2019-04-20
74CMS v5.0.1 has a CSRF vulnerability to add a new admin user via the index.php?m=Admin&c=admin&a=add URI.
CVE-2019-11375
PUBLISHED: 2019-04-20
Msvod v10 has a CSRF vulnerability to change user information via the admin/member/edit.html URI.