Zeus malware now targets online payment providers
The Zeus malware continues to evolve, diversifying away from its target bank sites and their customers, and over to sites with user credentials that allow assets that have a financial value.
The move mirrors the evolution of card fraud in the 1980s and 1990s, when fraudsters initially targeted banks for cash advance fraud, then, as the banks developed their internal anti-fraud resources, moved over to quasi-cash platforms such as foreign currency purchases and then over to retail and e-tail sales outlets.
The parallels between card fraud evolution and the evolution of Zeus is reflected in the attack vectors against a few websites Trusteer researchers have identified as being targeted.
Money Bookers is an online payment provider allowing you to make online payments without submitting your personal information each time. We have found 26 different Zeus configurations targeting Money Bookers.
This usually indicates that fraudsters have a solid business around this target. For comparison, this number doesn’t fall short of some of the highly targeted banks and brands in the world. For those of you who don’t know what a Zeus configuration file is – it’s basically a set of instructions that Zeus gets on which websites to target and what to do with them (steal login credentials, tamper with HTML webpages, etc). Different configurations represent different work efforts of targeting online websites.
Another interesting target is Web Money. This is another online payment solution that claims to have more than 12 million active users. Web Money is targeted by 13 different Zeus configurations, with the last one released January 16th, indicating that this is hot target for fraudsters. As with all the other online payment providers, Zeus steals login information and other sensitive information of Web Money users.
Another popular target is Nochex, a UK based online payment company specializing in smaller online businesses. Nochex is targeted by 12 different Zeus configurations with the last one released in January 16th.
While these three examples represent online payment providers which have been targeted for months, there are new comers as well. One example is netSpend. This website has been recently started to be targeted by Zeus. netSpend is a prepaid card provider. You add money to your account and use you netSpend account to pay online.
The last example for today is e-gold which provides a money-like currency and wire transfer services. This website has been indicted in the past for violating money laundering regulations. This website is targeted by 16 different Zeus configuration. Could it be that fraudsters are targeting other fraudsters?
The genuine login page for e-gold asks the user for the account number, passphrase and uses CAPTCHA technology to help prevent automated attacks.
On a Zeus-infected machine (with an e-gold targeting configuration), the malware injects an additional element into the login page that requests the alternate password – plus the email associated with the account, which can then presumably be tapped for back-door access to the account.
The following screenshot shows the login page after it has been tampered with by Zeus (the injected fields are identified using a red rectangle):
Trusteer believes this trend of targeting online payment providers will continue as more retailers allow these alternate payment methods with their Web sites.
What can be done to counter the problem of Zeus-enabled credential fraud against a diversified range of online payment providers?
Customers of all sites where purchases are involved need to protect their PC or access terminal, using secure browsing services and solutions that specialize in protecting online payments and online banking.
Users should also avoid using public access computers, as well as computers you do not own and therefore have direct control over.
Retailers and payment providers, meanwhile, need to assess the risk associated with their customers’ endpoint devices. They should, we believe, reject transactions from accounts used over insecure endpoints.