Vulnerabilities / Threats
5/16/2012
12:32 PM
50%
50%

Zeus Malware Seeks Facebook Users' Debit Card Data

Latest Botnet-backed fraud compaign also has variations targeting Google Mail, Hotmail, and Yahoo users.

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
(click image for larger view and for slideshow)
A new fraud campaign aims to separate users of Facebook, Google Mail, Hotmail, and Yahoo from their debit card data.

"We've recently discovered a series of attacks being carried out by a P2P variant of the Zeus platform against some of the Internet's leading online services and websites," said Amit Klein, CTO of Trusteer, in a blog post. The attacks come disguised as offers for great rebates or hot new security functionality. But in reality, "the scams exploit the trust relationship between users and these well-known service providers, as well as the Visa and MasterCard brands, to steal users' debit card data," he said.

Each of the social engineering attacks differs slightly in its execution. In the case of Facebook, for example, the scam offers people a 20% discount if they link their Visa or MasterCard details to their Facebook account. "The scam claims that after registering their card information, the victim will earn cash back when they purchase Facebook points," said Klein. A fake Web form then requests that the user enter their debit card number, its expiration date, as well as their security code and PIN.

[ No honor among these thieves. Read Anonymous Allies Hit With Zeus Malware. ]

In the Gmail, Hotmail, and Yahoo variations, the scam "offers an allegedly new way of authenticating to the 3D Secure service offered by the Verified by Visa and MasterCard SecureCode programs," said Klein. In particular, the scam suggests that Google and Yahoo users can tie the 3D Secure password issued by their bank to, respectively, their Google Checkout and Yahoo Checkout accounts. It then requests the person's debit card number, expiration date, security code, and 3D Secure PIN code. For Hotmail users, attackers have tweaked the language slightly to suggest that without the 3D Secure code being entered, users won't be able to use Hotmail to make any purchases.

What the attacks share in common, besides being scams, is their use of a specific variant of Zeus, which is frequently the malware of choice for criminals seeking to separate people from their personal financial information. What's notable about the attack toolkits behind Zeus and similar malware--typically provided on a subscription basis--is that they allow people with scant computer knowledge to launch highly automated attacks that continue to evolve in order to fool security defenses. Although Zeus ships with a number of built-in features, subscribers also can purchase upgrades to customize their attack capabilities.

A Zeus-infected computer, or "zombie PC," also can function as a node in a botnet that might comprise thousands of similarly infected machines. Each PC can receive further instructions and new code from the command-and-control (C&C) server that runs the botnet. These updates might contain code that records and exfiltrates all keystrokes on the machine, finds and copies all financial data, turns the PC into a spam relay, or in the case of the above scam attacks, attempts to trick users into sharing sensitive financial details.

Although authorities have busted multiple crime rings that have used Zeus to steal millions of dollars, and technology giant Microsoft has gone to court to take down Zeus servers, many Zeus-using criminals apparently remain alive, well, and well-remunerated.

Notably, the ZeuS Tracker Tuesday recorded 355 Zeus C&C servers as being online. It said that the average antivirus software detection rate for the malware currently being generated by Zeus toolkits was just 38.5%.

From clouds to mobile to software development, threats may be everywhere, but they're not equally dangerous. The new, all-digital IT Strategic Security Survey issue of InformationWeek will help you prioritize. Also in this issue: IT must decide how to deal with consumer cloud storage being used in businesses. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
5/18/2012 | 2:50:09 AM
re: Zeus Malware Seeks Facebook Users' Debit Card Data
So, this seems to be a major issue... big botnet, a lot of sophisticated social engineering, targetting of Facebook, Yahoo, Google and Gmail users (that should cover pretty much anyone reading this) as well as making users think that they're doing something secured by their debit card networks as MasterCard and Visa... yet less than 4 out of 10 of the malware infections are detectable?

Don't get me wrong... 4 out of 10 isn't bad... if you're batting cleanup for the Lowell Spinners. But if you're running a security software product firm, that's a horrific number, right?

Anyone? Bueller?

Andrew Hornback
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Things Every Business Executive Should Know About Cybersecurity
Don't get lost in security's technical minutiae - a clearer picture of what's at stake can help align business imperatives with technology execution.
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.