Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Zeus Malware Seeks Facebook Users' Debit Card Data

Latest Botnet-backed fraud compaign also has variations targeting Google Mail, Hotmail, and Yahoo users.

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
(click image for larger view and for slideshow)
A new fraud campaign aims to separate users of Facebook, Google Mail, Hotmail, and Yahoo from their debit card data.

"We've recently discovered a series of attacks being carried out by a P2P variant of the Zeus platform against some of the Internet's leading online services and websites," said Amit Klein, CTO of Trusteer, in a blog post. The attacks come disguised as offers for great rebates or hot new security functionality. But in reality, "the scams exploit the trust relationship between users and these well-known service providers, as well as the Visa and MasterCard brands, to steal users' debit card data," he said.

Each of the social engineering attacks differs slightly in its execution. In the case of Facebook, for example, the scam offers people a 20% discount if they link their Visa or MasterCard details to their Facebook account. "The scam claims that after registering their card information, the victim will earn cash back when they purchase Facebook points," said Klein. A fake Web form then requests that the user enter their debit card number, its expiration date, as well as their security code and PIN.

[ No honor among these thieves. Read Anonymous Allies Hit With Zeus Malware. ]

In the Gmail, Hotmail, and Yahoo variations, the scam "offers an allegedly new way of authenticating to the 3D Secure service offered by the Verified by Visa and MasterCard SecureCode programs," said Klein. In particular, the scam suggests that Google and Yahoo users can tie the 3D Secure password issued by their bank to, respectively, their Google Checkout and Yahoo Checkout accounts. It then requests the person's debit card number, expiration date, security code, and 3D Secure PIN code. For Hotmail users, attackers have tweaked the language slightly to suggest that without the 3D Secure code being entered, users won't be able to use Hotmail to make any purchases.

What the attacks share in common, besides being scams, is their use of a specific variant of Zeus, which is frequently the malware of choice for criminals seeking to separate people from their personal financial information. What's notable about the attack toolkits behind Zeus and similar malware--typically provided on a subscription basis--is that they allow people with scant computer knowledge to launch highly automated attacks that continue to evolve in order to fool security defenses. Although Zeus ships with a number of built-in features, subscribers also can purchase upgrades to customize their attack capabilities.

A Zeus-infected computer, or "zombie PC," also can function as a node in a botnet that might comprise thousands of similarly infected machines. Each PC can receive further instructions and new code from the command-and-control (C&C) server that runs the botnet. These updates might contain code that records and exfiltrates all keystrokes on the machine, finds and copies all financial data, turns the PC into a spam relay, or in the case of the above scam attacks, attempts to trick users into sharing sensitive financial details.

Although authorities have busted multiple crime rings that have used Zeus to steal millions of dollars, and technology giant Microsoft has gone to court to take down Zeus servers, many Zeus-using criminals apparently remain alive, well, and well-remunerated.

Notably, the ZeuS Tracker Tuesday recorded 355 Zeus C&C servers as being online. It said that the average antivirus software detection rate for the malware currently being generated by Zeus toolkits was just 38.5%.

From clouds to mobile to software development, threats may be everywhere, but they're not equally dangerous. The new, all-digital IT Strategic Security Survey issue of InformationWeek will help you prioritize. Also in this issue: IT must decide how to deal with consumer cloud storage being used in businesses. (Free registration required.)

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
5/18/2012 | 2:50:09 AM
re: Zeus Malware Seeks Facebook Users' Debit Card Data
So, this seems to be a major issue... big botnet, a lot of sophisticated social engineering, targetting of Facebook, Yahoo, Google and Gmail users (that should cover pretty much anyone reading this) as well as making users think that they're doing something secured by their debit card networks as MasterCard and Visa... yet less than 4 out of 10 of the malware infections are detectable?

Don't get me wrong... 4 out of 10 isn't bad... if you're batting cleanup for the Lowell Spinners. But if you're running a security software product firm, that's a horrific number, right?

Anyone? Bueller?

Andrew Hornback
InformationWeek Contributor
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15570
PUBLISHED: 2020-07-06
The parse_report() function in whoopsie.c in Whoopsie through 0.2.69 mishandles memory allocation failures, which allows an attacker to cause a denial of service via a malformed crash file.
CVE-2020-15569
PUBLISHED: 2020-07-06
PlayerGeneric.cpp in MilkyTracker through 1.02.00 has a use-after-free in the PlayerGeneric destructor.
CVE-2020-7690
PUBLISHED: 2020-07-06
It's possible to inject JavaScript code via the html method.
CVE-2020-7691
PUBLISHED: 2020-07-06
It's possible to use <<script>script> in order to go over the filtering regex.
CVE-2020-15562
PUBLISHED: 2020-07-06
An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists.