Zeus Adds Investment Fraud to Its Bag of Tricks

IBM recently discovered and investigated a very interesting new Zeus configuration sample that uses credible-looking banner advertisements on major websites to offer high-return investment opportunities. This attack is targeting some of the world’s leading and most-trusted websites, including AOL, Amazon, Apple, CNN, Citibank, Forbes, ESPN and many more. Investment fraud is a new twist in the Zeus bag of tricks

Using Big Brands to Fit In

These attacks have only one purpose: to lure users into investing their money through a fraudulent, yet legitimate-looking website. IBM traced several examples of this configuration file to attacks on leading websites. In one case, the Zeus mechanism embeds banners on the targeted websites, which redirect to the fraud site. We were surprised to see how well-integrated the banner designs were with the attacked websites.

Here are some examples of banners that appeared on Google and Bing pages:

Example of a banner that the Zeus mechanism embedded on a Google page

Example of a banner that the Zeus mechanism embedded on a Bing page

In a very sophisticated attack against Forbes.com, the cyber criminals inject a compelling overview of the fictitious URS Investment Fund. They offer wealthy individuals the opportunity to achieve extremely high rates of return through a “prestigious” investment program. The content developed for this advanced attack establishes a new standard of credibility for the fraudsters. Here is the text embedded by the Zeus injection code on the attacked pages at Forbes.com:

In a sophisticated attack against Forbes.com, the cybercriminals inject a compelling overview of the fictitious URS Investment Fund. Here is the text embedded by the Zeus injection code on the attacked pages at Forbes.com.

In a similar attack against the Yahoo Finance pages, fraudsters actually claim that URS has established a partnership with Yahoo. In this investment fraud campaign, criminals lowered the investment minimum to $1,000. Here is the text added by the Zeus injection mechanism on the site’s “Banking & Budgeting” page.

In this investment fraud campaign, criminals lowered the investment minimum to $1,000. Here is the text added by the Zeus injection mechanism on the site

Like the injected code, the website is professionally designed, user-friendly and has a simple registration process. It asks users to enter login and password details; however, it does not allow them to recover their account credentials.

Upon registration, users are prompted to upload funds though a bank wire transfer or using Western Union. Next, they are asked to choose an investment program. Three options are presented in significant detail for minimum investments of $1,000, $5,000 and $10,000. These include investment schedules, interest rates and lump-sum profits. Below is a screen capture of a page that promises 7 percent, 11.3 percent, 16 percent and even 32 percent rates of return.

This is a screen capture of a page that promises 7 percent, 11.3 percent, 16 percent and even 32 percent rates of return.

Meanwhile, the “Our Partners” tab on the site lists companies that have been found in the Zeus configuration file, including AOL, Amazon, Apple, CNN, Citibank, Forbes, ESPN and others. We also found a Forbes logo on the home page of the site. The links leading to the websites of the listed companies (“You can read more details on their websites”) lead back to pages attacked by this configuration of Zeus. Users who are infected by Zeus and follow these links are presented with the same false information about their partnership with URS.

We also checked WHOIS for information on the fraudulent site’s domain name, and found that records only start on March 11, 2011. However, according to the website, the URS company has existed since 1995 and is based in the U.S. We did not find any specific companies behind this website.

Https://ursinvestment.com has a valid SSL certificate, which was issued on March 20, 2011. A Google cache of the website from March 26, 2010 points to the default Apache website, which is empty. The website is hosted on an IP address (178.18.243.227) that originates from Germany. Huan-jun-net, an unknown network, is responsible for hosting the website.

‘Selling‘ Investment Fraud

This new targeted attack is noteworthy for the depth, breadth and level of sophistication of the content that the criminals have developed to make the scam appear legitimate and believable. Unlike many Zeus attacks, investment fraud is less about the attack code and more about selling the scheme. With attack code already developed to the point where it can convincingly mimic real websites and trusted brands, it seems that criminal groups are bulking up investments in marketing communications to make their scams harder to differentiate from legitimate business offers presented to Web users.

Without the ability for average Web users to “spot” fraudulent offers, e-commerce may be threatened. As a result, technology that secures Web sessions and transactions must fill the void.

Amit Klein

CTO, Trusteer, an IBM company

As Trusteer’s CTO, Amit Klein is responsible for researching and introducing game changing technologies into...