Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Zeus Malware Seeks Facebook Users' Debit Card Data

Latest Botnet-backed fraud compaign also has variations targeting Google Mail, Hotmail, and Yahoo users.

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
(click image for larger view and for slideshow)
A new fraud campaign aims to separate users of Facebook, Google Mail, Hotmail, and Yahoo from their debit card data.

"We've recently discovered a series of attacks being carried out by a P2P variant of the Zeus platform against some of the Internet's leading online services and websites," said Amit Klein, CTO of Trusteer, in a blog post. The attacks come disguised as offers for great rebates or hot new security functionality. But in reality, "the scams exploit the trust relationship between users and these well-known service providers, as well as the Visa and MasterCard brands, to steal users' debit card data," he said.

Each of the social engineering attacks differs slightly in its execution. In the case of Facebook, for example, the scam offers people a 20% discount if they link their Visa or MasterCard details to their Facebook account. "The scam claims that after registering their card information, the victim will earn cash back when they purchase Facebook points," said Klein. A fake Web form then requests that the user enter their debit card number, its expiration date, as well as their security code and PIN.

[ No honor among these thieves. Read Anonymous Allies Hit With Zeus Malware. ]

In the Gmail, Hotmail, and Yahoo variations, the scam "offers an allegedly new way of authenticating to the 3D Secure service offered by the Verified by Visa and MasterCard SecureCode programs," said Klein. In particular, the scam suggests that Google and Yahoo users can tie the 3D Secure password issued by their bank to, respectively, their Google Checkout and Yahoo Checkout accounts. It then requests the person's debit card number, expiration date, security code, and 3D Secure PIN code. For Hotmail users, attackers have tweaked the language slightly to suggest that without the 3D Secure code being entered, users won't be able to use Hotmail to make any purchases.

What the attacks share in common, besides being scams, is their use of a specific variant of Zeus, which is frequently the malware of choice for criminals seeking to separate people from their personal financial information. What's notable about the attack toolkits behind Zeus and similar malware--typically provided on a subscription basis--is that they allow people with scant computer knowledge to launch highly automated attacks that continue to evolve in order to fool security defenses. Although Zeus ships with a number of built-in features, subscribers also can purchase upgrades to customize their attack capabilities.

A Zeus-infected computer, or "zombie PC," also can function as a node in a botnet that might comprise thousands of similarly infected machines. Each PC can receive further instructions and new code from the command-and-control (C&C) server that runs the botnet. These updates might contain code that records and exfiltrates all keystrokes on the machine, finds and copies all financial data, turns the PC into a spam relay, or in the case of the above scam attacks, attempts to trick users into sharing sensitive financial details.

Although authorities have busted multiple crime rings that have used Zeus to steal millions of dollars, and technology giant Microsoft has gone to court to take down Zeus servers, many Zeus-using criminals apparently remain alive, well, and well-remunerated.

Notably, the ZeuS Tracker Tuesday recorded 355 Zeus C&C servers as being online. It said that the average antivirus software detection rate for the malware currently being generated by Zeus toolkits was just 38.5%.

From clouds to mobile to software development, threats may be everywhere, but they're not equally dangerous. The new, all-digital IT Strategic Security Survey issue of InformationWeek will help you prioritize. Also in this issue: IT must decide how to deal with consumer cloud storage being used in businesses. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
5/18/2012 | 2:50:09 AM
re: Zeus Malware Seeks Facebook Users' Debit Card Data
So, this seems to be a major issue... big botnet, a lot of sophisticated social engineering, targetting of Facebook, Yahoo, Google and Gmail users (that should cover pretty much anyone reading this) as well as making users think that they're doing something secured by their debit card networks as MasterCard and Visa... yet less than 4 out of 10 of the malware infections are detectable?

Don't get me wrong... 4 out of 10 isn't bad... if you're batting cleanup for the Lowell Spinners. But if you're running a security software product firm, that's a horrific number, right?

Anyone? Bueller?

Andrew Hornback
InformationWeek Contributor
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22675
PUBLISHED: 2021-05-07
The affected product is vulnerable to integer overflow while parsing malformed over-the-air firmware update files, which may allow an attacker to remotely execute code on SimpleLink Wi-Fi (MSP432E4 SDK: v4.20.00.12 and prior, CC32XX SDK v4.30.00.06 and prior, CC13X0 SDK versions prior to v4.10.03, C...
CVE-2021-22679
PUBLISHED: 2021-05-07
The affected product is vulnerable to an integer overflow while processing HTTP headers, which may allow an attacker to remotely execute code on the SimpleLink Wi-Fi (MSP432E4 SDK: v4.20.00.12 and prior, CC32XX SDK v4.30.00.06 and prior, CC13X0 SDK versions prior to v4.10.03, CC13X2 and CC26XX SDK v...
CVE-2020-14009
PUBLISHED: 2021-05-07
Proofpoint Enterprise Protection (PPS/PoD) before 8.17.0 contains a vulnerability that could allow an attacker to deliver an email message with a malicious attachment that bypasses scanning and file-blocking rules. The vulnerability exists because messages with certain crafted and malformed multipar...
CVE-2021-21984
PUBLISHED: 2021-05-07
VMware vRealize Business for Cloud 7.x prior to 7.6.0 contains a remote code execution vulnerability due to an unauthorised end point. A malicious actor with network access may exploit this issue causing unauthorised remote code execution on vRealize Business for Cloud Virtual Appliance.
CVE-2021-26122
PUBLISHED: 2021-05-07
LivingLogic XIST4C before 0.107.8 allows XSS via feedback.htm or feedback.wihtm.