January 2, 2011 By Amit Klein 3 min read

Confirming our previous observations, the Zeus malware continues to evolve, branching out from banking sites and their customers to online payment providers, which are sites with user credentials that allow assets that have a financial value.

The move mirrors the evolution of card fraud in the 1980s and 1990s, when fraudsters initially targeted banks for cash-advance fraud. Then, as banks developed their internal antifraud resources, criminals moved over to quasi-cash platforms, such as foreign currency purchases, and then to retail and e-tail sales outlets.

The parallels between card fraud evolution and the evolution of Zeus is reflected in the attack vectors against a few websites our researchers have identified as targets.

Targeted Online Payment Providers

Money Bookers is an online payment provider that allows you to make online payments without submitting your personal information each time. We have found 26 different Zeus configurations targeting Money Bookers. This usually indicates that fraudsters have a solid business around this target. For comparison, this number doesn’t fall short of some of the highly targeted banks and brands in the world. For those of you who don’t know what a Zeus configuration file is, it’s basically a set of instructions that Zeus gets on which websites to target and what to do with them (steal login credentials, tamper with HTML Web pages, etc). Different configurations represent different work efforts of targeting websites.

Another interesting target we have found is Web Money. This is another online payment solution that claims to have more than 25 million active users as of April 2014. Thirteen different Zeus configurations target Web Money, with the last released on January 16, indicating that this is a hot target for fraudsters. As with all the other online payment providers, Zeus steals login information and other sensitive information from Web Money users.

Yet another popular target is Nochex, a U.K.-based online payment company specializing in smaller online businesses. Twelve different Zeus configurations target Nochex, with the last one released on January 16.

While these three examples represent online payment providers that have been targeted for months, there are newcomers, as well. One example is netSpend, a prepaid card provider that has only recently started to be targeted by Zeus. Users add money to their netSpend account, which they then use to pay for things online.

The last example for today is e-gold. The e-gold portal is a one that provides a money-like currency and wire transfer services. This website has been indicted in the past for violating money laundering regulations. According to Wikipedia, “e-gold has been perceived by the United States government as the medium of choice for many online con-artists, with pyramid schemes and high-yield investment programs (“HYIPs”) commonplace.” This website is targeted by 16 different Zeus configuration. Could it be that fraudsters are targeting other fraudsters?

The genuine login page for e-gold asks the user for the account number, passphrase and uses CAPTCHA technology to help prevent automated attacks. On a Zeus-infected machine (with an e-gold targeting configuration), the malware injects an additional element into the login page that requests the alternate password – plus the email associated with the account, which can then presumably be tapped for back-door access to the account.

We believe this trend of targeting online payment providers will continue as more retailers allow alternative payment methods on their websites.

Increased Attacks

The latest U.K. figures on card fraud in the U.K. from KPMG show that card fraud soared by 16 percent in 2010 compared to the previous year, with one of the largest frauds worth a hefty 103 million pounds.

The story is a similar one in the United States, although research from Bank Info Security found that only 48 percent of fraud is detected at the point of transaction.

So what can be done to counter Zeus-enabled credential fraud against a diversified range of online payment providers?

We believe that customers of all sites where purchases are involved need to protect their PC or access terminal using secure browsing services and security solutions that specialize in protecting online payments and online banking. Users should also avoid using public-access computers as well as computers they do not own and therefore have no direct control over. Retailers and payment providers, meanwhile, need to assess the risk associated with their customers’ endpoint devices. They should, we believe, reject transactions from accounts used over insecure endpoints.

More from Malware

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today