Confirming our previous observations here at Trusteer, the Zeus malware continues to evolve, diversifying away from its target bank sites and their customers, and over to sites with user credentials that allow assets that have a financial value.
The move mirrors the evolution of card fraud in the 1980s and 1990s, when fraudsters initially targeted banks for cash advance fraud, then, as the banks developed their internal anti-fraud resources, moved over to quasi-cash platforms such as foreign currency purchases and then over to retail and e-tail sales outlets.
The parallels between card fraud evolution and the evolution of Zeus is reflected in the attack vectors against a few websites our researchers have identified as being targeted.
Money Bookers (www.moneybookers.com) is an online payment provider allowing you to make online payments without submitting your personal information each time. We have found 26 different Zeus configurations targeting Money Bookers. This usually indicates that fraudsters have a solid business around this target. For comparison, this number doesn’t fall short of some of the highly targeted banks and brands in the world. For those of you who don’t know what a Zeus configuration file is – it’s basically a set of instructions that Zeus gets on which websites to target and what to do with them (steal login credentials, tamper with HTML webpages, etc). Different configurations represent different work efforts of targeting online websites.
Another interesting target we have found is Web Money (www.wmtransfer.com). This is another online payment solution that claims to have more than 12 million active users. Web Money is targeted by 13 different Zeus configurations, with the last one released January 16th, indicating that this is hot target for fraudsters. As with all the other online payment providers, Zeus steals login information and other sensitive information of Web Money users.
Another popular target is Nochex (www.nochex.com). A UK based online payment company specializing in smaller online businesses. Nochex is targeted by 12 different Zeus configurations with the last one released in January 16th.
While these three examples represent online payment providers which have been targeted for months, there are new comers as well. One example is netSpend (www.netspend.com). This website has been recently started to be targeted by Zeus. netSpend is a prepaid card provider. You add money to your account and use you netSpend account to pay online.
The last example for today is e-gold (www.e-gold.com). The e-gold portal is a one that provides a money-like currency and wire transfer services. This website has been indicted in the past for violating money laundering regulations. According to Wikipedia (http://en.wikipedia.org/wiki/E-gold) “e-gold has been perceived by the United States government as the medium of choice for many online con-artists, with pyramid schemes and high-yield investment programs ("HYIPs") commonplace.”. This website is targeted by 16 different Zeus configuration. Could it be that fraudsters are targeting other fraudsters?
The genuine login page for e-gold (https://www.e-gold.com/acct/login.html) asks the user for the account number, passphrase and uses CAPTCHA technology to help prevent automated attacks.
On a Zeus-infected machine (with an e-gold targeting configuration), the malware injects an additional element into the login page that requests the alternate password - plus the email associated with the account, which can then presumably be tapped for back-door access to the account,.
The following screenshot shows the login page after it has been tampered with by Zeus (the injected fields are identified using a red rectangle):
We believe this trend of targeting online payment providers will continue as more retailers allow these alternate payment methods with their Web sites.
The latest UK figures on card fraud in the UK from KPMG (http://bit.ly/dIUzxE) show that card fraud soared by 16 per cent in 2010 when compared to the previous year, with one of the largest frauds worth a hefty £103 million.
The story is a similar one in the US, although research from Bank Info Security (http://bit.ly/cvdRUo) found that only 48 per cent of fraud is detected at the point of transaction.
So what can be done to counter the problem of Zeus-enabled credential fraud against a diversified range of online payment providers?
We believe that customers of all sites where purchases are involved need to protect their PC or access terminal, using secure browsing services and solutions that specialize in protecting online payments and online banking.
Users should also avoid using public access computers, as well as computers you do not own and therefore have direct control over.
Retailers and payment providers, meanwhile, need to assess the risk associated with their customers' endpoint devices. They should, we believe, reject transactions from accounts used over insecure endpoints.
For more information see http://www.trusteer.com/blog
Source: Eskenzi PR Ltd.
This press release is presented without editing for your information only.
Full Disclosure Statement: The ICT REVIEW received no compensation for any component of this article.