Confirming our previous observations, the Zeus malware continues to evolve, branching out from banking sites and their customers to online payment providers, which are sites with user credentials that allow assets that have a financial value.
The move mirrors the evolution of card fraud in the 1980s and 1990s, when fraudsters initially targeted banks for cash-advance fraud. Then, as banks developed their internal antifraud resources, criminals moved over to quasi-cash platforms, such as foreign currency purchases, and then to retail and e-tail sales outlets.
The parallels between card fraud evolution and the evolution of Zeus is reflected in the attack vectors against a few websites our researchers have identified as targets.
Targeted Online Payment Providers
Money Bookers is an online payment provider that allows you to make online payments without submitting your personal information each time. We have found 26 different Zeus configurations targeting Money Bookers. This usually indicates that fraudsters have a solid business around this target. For comparison, this number doesn’t fall short of some of the highly targeted banks and brands in the world. For those of you who don’t know what a Zeus configuration file is, it’s basically a set of instructions that Zeus gets on which websites to target and what to do with them (steal login credentials, tamper with HTML Web pages, etc). Different configurations represent different work efforts of targeting websites.
Another interesting target we have found is Web Money. This is another online payment solution that claims to have more than 25 million active users as of April 2014. Thirteen different Zeus configurations target Web Money, with the last released on January 16, indicating that this is a hot target for fraudsters. As with all the other online payment providers, Zeus steals login information and other sensitive information from Web Money users.
Yet another popular target is Nochex, a U.K.-based online payment company specializing in smaller online businesses. Twelve different Zeus configurations target Nochex, with the last one released on January 16.
While these three examples represent online payment providers that have been targeted for months, there are newcomers, as well. One example is netSpend, a prepaid card provider that has only recently started to be targeted by Zeus. Users add money to their netSpend account, which they then use to pay for things online.
The last example for today is e-gold. The e-gold portal is a one that provides a money-like currency and wire transfer services. This website has been indicted in the past for violating money laundering regulations. According to Wikipedia, “e-gold has been perceived by the United States government as the medium of choice for many online con-artists, with pyramid schemes and high-yield investment programs (“HYIPs”) commonplace.” This website is targeted by 16 different Zeus configuration. Could it be that fraudsters are targeting other fraudsters?
The genuine login page for e-gold asks the user for the account number, passphrase and uses CAPTCHA technology to help prevent automated attacks. On a Zeus-infected machine (with an e-gold targeting configuration), the malware injects an additional element into the login page that requests the alternate password – plus the email associated with the account, which can then presumably be tapped for back-door access to the account.
We believe this trend of targeting online payment providers will continue as more retailers allow alternative payment methods on their websites.
Increased Attacks
The latest U.K. figures on card fraud in the U.K. from KPMG show that card fraud soared by 16 percent in 2010 compared to the previous year, with one of the largest frauds worth a hefty 103 million pounds.
The story is a similar one in the United States, although research from Bank Info Security found that only 48 percent of fraud is detected at the point of transaction.
So what can be done to counter Zeus-enabled credential fraud against a diversified range of online payment providers?
We believe that customers of all sites where purchases are involved need to protect their PC or access terminal using secure browsing services and security solutions that specialize in protecting online payments and online banking. Users should also avoid using public-access computers as well as computers they do not own and therefore have no direct control over. Retailers and payment providers, meanwhile, need to assess the risk associated with their customers’ endpoint devices. They should, we believe, reject transactions from accounts used over insecure endpoints.
CTO, Trusteer, an IBM company