April 27, 2011 By Amit Klein 4 min read

IBM recently discovered and investigated a very interesting new Zeus configuration sample that uses credible-looking banner advertisements on major websites to offer high-return investment opportunities. This attack is targeting some of the world’s leading and most-trusted websites, including AOL, Amazon, Apple, CNN, Citibank, Forbes, ESPN and many more. Investment fraud is a new twist in the Zeus bag of tricks

Using Big Brands to Fit In

These attacks have only one purpose: to lure users into investing their money through a fraudulent, yet legitimate-looking website. IBM traced several examples of this configuration file to attacks on leading websites. In one case, the Zeus mechanism embeds banners on the targeted websites, which redirect to the fraud site. We were surprised to see how well-integrated the banner designs were with the attacked websites.

Here are some examples of banners that appeared on Google and Bing pages:

In a very sophisticated attack against Forbes.com, the cyber criminals inject a compelling overview of the fictitious URS Investment Fund. They offer wealthy individuals the opportunity to achieve extremely high rates of return through a “prestigious” investment program. The content developed for this advanced attack establishes a new standard of credibility for the fraudsters. Here is the text embedded by the Zeus injection code on the attacked pages at Forbes.com:

In a similar attack against the Yahoo Finance pages, fraudsters actually claim that URS has established a partnership with Yahoo. In this investment fraud campaign, criminals lowered the investment minimum to $1,000. Here is the text added by the Zeus injection mechanism on the site’s “Banking & Budgeting” page.

Like the injected code, the website is professionally designed, user-friendly and has a simple registration process. It asks users to enter login and password details; however, it does not allow them to recover their account credentials.

Upon registration, users are prompted to upload funds though a bank wire transfer or using Western Union. Next, they are asked to choose an investment program. Three options are presented in significant detail for minimum investments of $1,000, $5,000 and $10,000. These include investment schedules, interest rates and lump-sum profits. Below is a screen capture of a page that promises 7 percent, 11.3 percent, 16 percent and even 32 percent rates of return.

Meanwhile, the “Our Partners” tab on the site lists companies that have been found in the Zeus configuration file, including AOL, Amazon, Apple, CNN, Citibank, Forbes, ESPN and others. We also found a Forbes logo on the home page of the site. The links leading to the websites of the listed companies (“You can read more details on their websites”) lead back to pages attacked by this configuration of Zeus. Users who are infected by Zeus and follow these links are presented with the same false information about their partnership with URS.

We also checked WHOIS for information on the fraudulent site’s domain name, and found that records only start on March 11, 2011. However, according to the website, the URS company has existed since 1995 and is based in the U.S. We did not find any specific companies behind this website.

Https://ursinvestment.com has a valid SSL certificate, which was issued on March 20, 2011. A Google cache of the website from March 26, 2010 points to the default Apache website, which is empty. The website is hosted on an IP address (178.18.243.227) that originates from Germany. Huan-jun-net, an unknown network, is responsible for hosting the website.

‘Selling‘ Investment Fraud

This new targeted attack is noteworthy for the depth, breadth and level of sophistication of the content that the criminals have developed to make the scam appear legitimate and believable. Unlike many Zeus attacks, investment fraud is less about the attack code and more about selling the scheme. With attack code already developed to the point where it can convincingly mimic real websites and trusted brands, it seems that criminal groups are bulking up investments in marketing communications to make their scams harder to differentiate from legitimate business offers presented to Web users.

Without the ability for average Web users to “spot” fraudulent offers, e-commerce may be threatened. As a result, technology that secures Web sessions and transactions must fill the void.

More from Fraud Protection

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today