Researchers at Trusteer uncovered a version of the notorious Zeus Trojan being used to steal financial data in a series of scams targeting Facebook, Hotmail, Gmail and Yahoo.
A malware campaign targeting Facebook, Google
Mail, Hotmail and Yahoo user debit card data has been linked to the infamous
Zeus is one of the most prevalent pieces of financial malware on the Web.
During the past several years, Zeus variants have been linked to major criminal
operations around the globe, including one that prompted the FBI to issue a
warning in January. In that case, a variant known as Gameover
stealing password and user name information for financial
security firm Trusteer
, the attack uses a peer-to-peer version of Zeus and
varies slightly from site to site. In the Facebook version of the attack, the
malware uses Web injection to present victims with a fake 20 percent cash-back
offer if they link their Visa or MasterCard debit card to their Facebook
account. The victim is then prompted to enter their debit card number,
expiration date, security code and PIN and told that that once they register
their information, they can earn cash back by purchasing Facebook points.
In the case of the Gmail, Hotmail and Yahoo versions of the scam, the attack
offers what appears to be a new way to authenticate to the 3D Secure service
offered through the Verified by Visa and MasterCard SecureCode programs.
The 3D Secure service allows customers to create a password to protect and validate
online transactions. As part of the scam, victims are told that by linking
their debit cards to their Web mail accounts, any future 3D Secure
authentication can be performed through Google Checkout and Yahoo Checkout.
The fraudsters allege that by participating in the program the victims debit
card account will be protected from fraud in the future, blogged Amit Klein,
CTO of Trusteer. The victim is prompted to enter their debit card number,
expiration date, security code and PIN.
The attack against Hotmail users also ropes in 3D Secure, but with a slight
twist. In this iteration, the victim is told that by registering for a free new
security service, the victim can set up a 3D Secure-like password to protect
their debit card from fraud. According to Trusteer, the offer states the
service will prevent purchases from being made with the card online unless the
Hotmail account information and additional password are provided.
None of the attacks compromises the 3D Secure service or authentication mechanism;
instead, the attackers rely on the trust customers have in Visa and MasterCard.
The scams exploit the trust relationship between users and these well-known
service providers, as well as the Visa and MasterCard brands, to steal users
debit card data, Klein noted.
This attack is a clever example of how fraudsters are using trusted
brandssocial network/email service providers and debit card providersto get
victims to put down their guard and surrender their debit card information,
Klein explained. These Web injects are well-crafted, both from a visual and
content perspective, making it difficult to identify them as a fraud. Its also
ironic how in the Google Mail, Hotmail and Yahoo scams, the fraudsters are
using the fear of the very cyber-crime they are committing to prey on their