IBM recently discovered a series of attacks being carried out by a P2P variant of the Zeus platform against some of the Internet’s leading online services and websites. The attacks are targeting users of Facebook, Gmail, Hotmail and Yahoo, as well as Visa and MasterCard, offering rebates and new security measures. The scams exploit the trust relationship between users and those well-known service providers to steal users’ debit card data.


In the first attack against Facebook, the malware uses a webinject to present the victim with a fraudulent 20 percent cash back incentive to link their Visa or MasterCard debit card to their Facebook account. The scam claims that after registering their card information, the victim will earn cash back when they purchase Facebook points. The fake Web form prompts the victim to enter their debit card number, expiration date, security code and PIN.

Malware webinject presented to Facebook users

Gmail and Yahoo

In the attacks against Gmail and Yahoo users, Zeus offers an allegedly new way of authenticating via the 3D Secure service offered by the Verified by Visa and MasterCard SecureCode programs. To complete an online transaction, many merchants require cardholders to authenticate the transaction using their personal 3D Secure password. Visa and MasterCard cardholders can apply for a 3D Secure password with the bank that issued their debit or credit card.

The scam that targets Gmail and Yahoo users claims that by linking their debit card to their web mail accounts, all future 3D Secure authentication will be performed through Google Checkout and Yahoo Checkout, respectively. The fraudsters allege that by participating in the program the victim’s debit card account will be protected from fraud in the future. The victim is prompted to enter their debit card number, expiration date, security code and PIN. The attack is not compromising the 3D Secure service or authentication mechanism, but rather leveraging the Verified by Visa and MasterCard SecureCode brands to make the scam more credible.

Malware webinject presented to Gmail and Yahoo users, respectively


The attack against Hotmail users is similar to the Gmail and Yahoo scam. It claims that by registering for a free new security service, the victim can set up a 3D Secure-like password to protect their debit card from fraud. The offer states that the service will prevent purchases from being made on the Internet with the card unless the Hotmail account information and additional password are provided. The webinject requests the same debit card data (card number, expiration date, security code and PIN) as the previous two scams.

Malware webinject presented to Microsoft Hotmail users

This attack is a clever example of how fraudsters are using trusted brands, social networks, email hosts and debit card providers to get victims to lower their guards and surrender their debit card data. These webinjects are well crafted, both from a visual and content perspective, making it difficult to identify them as a fraud. It’s also ironic how in the Gmail, Hotmail and Yahoo scams, the fraudsters are using the fear of the very cyber crimes they are committing to prey on their victims.

More from Fraud Protection

Kronos Malware Reemerges with Increased Functionality

6 min read - The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

6 min read

How Security Teams Combat Disinformation and Misinformation

4 min read - “A lie can travel halfway around the world while the truth is still putting on its shoes.” That popular quote is often attributed to Mark Twain. But since we're talking about misinformation and disinformation, you’ll be unsurprised to learn Twain never said that at all. In fact, no one knows who first strung those words together, but the idea that truth spreads slowly while lies spread quickly is at least several hundred years old. The “Twain” quote also serves to…

4 min read

A View Into Web(View) Attacks in Android

9 min read - James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

9 min read

New DOJ Team Focuses on Ransomware and Cryptocurrency Crime

4 min read - While no security officer would rely on this alone, it’s good to know the U.S. Department of Justice is increasing efforts to fight cyber crime. According to a recent address in Munich by Deputy Attorney General Lisa Monaco, new efforts will focus on ransomware and cryptocurrency incidents. This makes sense since the X-Force Threat Intelligence Index 2022 named ransomware as the top attack type in 2021. What exactly is the DOJ doing to improve policing of cryptocurrency and other cyber…

4 min read