Vulnerabilities / Threats
5/16/2012
12:32 PM
50%
50%

Zeus Malware Seeks Facebook Users' Debit Card Data

Latest Botnet-backed fraud compaign also has variations targeting Google Mail, Hotmail, and Yahoo users.

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
(click image for larger view and for slideshow)
A new fraud campaign aims to separate users of Facebook, Google Mail, Hotmail, and Yahoo from their debit card data.

"We've recently discovered a series of attacks being carried out by a P2P variant of the Zeus platform against some of the Internet's leading online services and websites," said Amit Klein, CTO of Trusteer, in a blog post. The attacks come disguised as offers for great rebates or hot new security functionality. But in reality, "the scams exploit the trust relationship between users and these well-known service providers, as well as the Visa and MasterCard brands, to steal users' debit card data," he said.

Each of the social engineering attacks differs slightly in its execution. In the case of Facebook, for example, the scam offers people a 20% discount if they link their Visa or MasterCard details to their Facebook account. "The scam claims that after registering their card information, the victim will earn cash back when they purchase Facebook points," said Klein. A fake Web form then requests that the user enter their debit card number, its expiration date, as well as their security code and PIN.

[ No honor among these thieves. Read Anonymous Allies Hit With Zeus Malware. ]

In the Gmail, Hotmail, and Yahoo variations, the scam "offers an allegedly new way of authenticating to the 3D Secure service offered by the Verified by Visa and MasterCard SecureCode programs," said Klein. In particular, the scam suggests that Google and Yahoo users can tie the 3D Secure password issued by their bank to, respectively, their Google Checkout and Yahoo Checkout accounts. It then requests the person's debit card number, expiration date, security code, and 3D Secure PIN code. For Hotmail users, attackers have tweaked the language slightly to suggest that without the 3D Secure code being entered, users won't be able to use Hotmail to make any purchases.

What the attacks share in common, besides being scams, is their use of a specific variant of Zeus, which is frequently the malware of choice for criminals seeking to separate people from their personal financial information. What's notable about the attack toolkits behind Zeus and similar malware--typically provided on a subscription basis--is that they allow people with scant computer knowledge to launch highly automated attacks that continue to evolve in order to fool security defenses. Although Zeus ships with a number of built-in features, subscribers also can purchase upgrades to customize their attack capabilities.

A Zeus-infected computer, or "zombie PC," also can function as a node in a botnet that might comprise thousands of similarly infected machines. Each PC can receive further instructions and new code from the command-and-control (C&C) server that runs the botnet. These updates might contain code that records and exfiltrates all keystrokes on the machine, finds and copies all financial data, turns the PC into a spam relay, or in the case of the above scam attacks, attempts to trick users into sharing sensitive financial details.

Although authorities have busted multiple crime rings that have used Zeus to steal millions of dollars, and technology giant Microsoft has gone to court to take down Zeus servers, many Zeus-using criminals apparently remain alive, well, and well-remunerated.

Notably, the ZeuS Tracker Tuesday recorded 355 Zeus C&C servers as being online. It said that the average antivirus software detection rate for the malware currently being generated by Zeus toolkits was just 38.5%.

From clouds to mobile to software development, threats may be everywhere, but they're not equally dangerous. The new, all-digital IT Strategic Security Survey issue of InformationWeek will help you prioritize. Also in this issue: IT must decide how to deal with consumer cloud storage being used in businesses. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
5/18/2012 | 2:50:09 AM
re: Zeus Malware Seeks Facebook Users' Debit Card Data
So, this seems to be a major issue... big botnet, a lot of sophisticated social engineering, targetting of Facebook, Yahoo, Google and Gmail users (that should cover pretty much anyone reading this) as well as making users think that they're doing something secured by their debit card networks as MasterCard and Visa... yet less than 4 out of 10 of the malware infections are detectable?

Don't get me wrong... 4 out of 10 isn't bad... if you're batting cleanup for the Lowell Spinners. But if you're running a security software product firm, that's a horrific number, right?

Anyone? Bueller?

Andrew Hornback
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2329
Published: 2015-08-31
Multiple cross-site scripting (XSS) vulnerabilities in Check_MK before 1.2.2p3 and 1.2.3x before 1.2.3i5 allow remote authenticated users to inject arbitrary web script or HTML via the (1) agent string for a check_mk agent, a (2) crafted request to a monitored host, which is not properly handled by ...

CVE-2014-2330
Published: 2015-08-31
Multiple cross-site request forgery (CSRF) vulnerabilities in the Multisite GUI in Check_MK before 1.2.5i2 allow remote attackers to hijack the authentication of users for requests that (1) upload arbitrary snapshots, (2) delete arbitrary files, or possibly have other unspecified impact via unknown ...

CVE-2014-2331
Published: 2015-08-31
Check_MK 1.2.2p2, 1.2.2p3, and 1.2.3i5 allows remote authenticated users to execute arbitrary Python code via a crafted rules.mk file in a snapshot. NOTE: this can be exploited by remote attackers by leveraging CVE-2014-2330.

CVE-2014-2332
Published: 2015-08-31
Check_MK before 1.2.2p3 and 1.2.3x before 1.2.3i5 allows remote authenticated users to delete arbitrary files via a request to an unspecified link, related to "Insecure Direct Object References." NOTE: this can be exploited by remote attackers by leveraging CVE-2014-2330.

CVE-2014-2570
Published: 2015-08-31
Cross-site scripting (XSS) vulnerability in www/make_subset.php in PHP Font Lib before 0.3.1 allows remote attackers to inject arbitrary web script or HTML via the name parameter.

Dark Reading Radio
Archived Dark Reading Radio
Another Black Hat is in the books and Dark Reading was there. Join the editors as they share their top stories, biggest lessons, and best conversations from the premier security conference.