The Green Sheet Online Edition
July 23, 2012 • Issue 12:07:02
New Zeus malware puts payments at risk
ThreatMetrix Labs, an independent firm researching online security, confirmed in a June 2012 report that a new peer-to-peer variation of the infamous Zeus malware alters websites in a manner that enables it to steal confidential information without being detected - even by professionals. Trustwave SpiderLabs drew the same conclusion in a separate study of the malware.
Zeus malware is called a Trojan horse because the attack is disguised as something it is not. For instance, a familiar looking but fake social network or business web page may appear and ask the user to reenter a name and password. Zeus then steals payment, banking and other confidential information by recording keystrokes and by capturing payment forms sent over the Internet as the customer hits "Send."
ThreatMetrix analyzed Zeus attacks on social media, financial services, retail and payment processing sites and found in most cases minor "but sophisticated" website changes allowed thieves access to personal information while going unnoticed. The lab reported the new Zeus variant can mimic the customer login page of all major credit card company websites.
The new report also discussed a malicious script used in Italy that adjusts account balance statements so victims are unaware of anything out of order in their accounts. The script can also block access to bank records that would allow the user to see the account was compromised.
Multiple sectors targeted
Andreas Baumhof, ThreatMetrix's Chief Technology Officer, said, "We are seeing fraud spread out away from financial institutions to target small merchants, retailers, processors and utilities."
In one incident ThreatMetrix investigated, a pop-up window appeared at the retail POS with this message, "The card number you entered does not match our records. Please verify and make sure you re-enter the card information correctly."
In a similar scheme, launched in a payment processor's system, a pop-up greeted the user by correct name and said, "In order to carry out higher security standards with our customers, we carry out selective personal information verification." It then asked the customer to reenter credit card information.
Baumhof said today's new malware is going undetected by even "some of the most advanced malware and cybercrime detection tools." He noted it can bypass authentication measures and inject malicious content into a payment environment that, among other things, can change the recipient of a transaction in real time.
And the user most likely won't detect the virus because it employs sophisticated tricks, such as removing emails from the system that would otherwise notify a customer of a bank transfer.
Cyber crime tailored to environment
Ziv Mador, Trustwave SpiderLabs Director of Security Research, said his lab found in its Zeus malware study that once a user is tricked into giving up credit card or other personal information, Zeus can activate a "money mule account" in real time, transporting the transaction to a criminal bank account rather than its intended destination.
Mador said SpiderLabs is seeing "constantly improving exploit kits" that can target specific geographic groups in the world with malware adapted for the region and better looking interfaces that closely resemble the sites they are imitating. However, Mador said it is difficult to estimate the extent of this cyber theft because corporate victims often don't report malware intrusions; they are reluctant to alarm customers and potentially harm their businesses over a problem they have already discovered and remedied.
Despite this lack of full disclosure, SpiderLabs' research found the number one and two targeted industries for Zeus are food-and-beverage and retail stores. In more than 80 percent of the cases of malware infecting these environments, the criminal program targeted customer records and other forms of personal information, Mador noted.
Zeus Trojan detection and removal
In addition to regular scans and anti-virus software, Mador offered this advice for businesses hoping to fight off a Zeus attack: "Keep your system patched." He said one of the ways Zeus is able to access systems is by exploiting security holes in common software such as Microsoft Corp.'s Windows, Oracle Corp.'s Java and certain Adobe Systems Inc. software.
Mador pointed out that if one system is patched, the malware will continue to look for holes in other familiar software until it finds a security hole that wasn't patched. "It's enough to have one application not fully patched to compromise the entire machine," he said.
Baumhof considers the requirements embodied in the Payment Card Industry Data Security Standard a minimum standard for security that is unlikely to discover a Zeus Trojan. "You need to do a much more detailed anomaly detection," he said. "Companies need to deal with this threat in a more sophisticated way. It is not enough now just to ask for user name and password authentication."
Baumhof recommended using scanning tools that can detect, among other things, when someone logs in from an unfamiliar computer. He also suggested doing a velocity check that can detect when someone is attempting to access hundreds of different devices from a single computer.
For additional news stories, please visit www.greensheet.com and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.