Facebook, Gmail, Hotmail, Yahoo Users Hit by Zeus Debit Card Scam

Researchers at Trusteer uncovered a version of the notorious Zeus Trojan being used to steal financial data in a series of scams targeting Facebook, Hotmail, Gmail and Yahoo.

A malware campaign targeting Facebook, Google Mail, Hotmail and Yahoo user debit card data has been linked to the infamous Zeus Trojan.

Zeus is one of the most prevalent pieces of financial malware on the Web. During the past several years, Zeus variants have been linked to major criminal operations around the globe, including one that prompted the FBI to issue a warning in January. In that case, a variant known as Gameover was observed stealing password and user name information for financial institutions.

According tosecurity firm Trusteer, the attack uses a peer-to-peer version of Zeus and varies slightly from site to site. In the Facebook version of the attack, the malware uses Web injection to present victims with a fake 20 percent cash-back offer if they link their Visa or MasterCard debit card to their Facebook account. The victim is then prompted to enter their debit card number, expiration date, security code and PIN and told that that once they register their information, they can earn cash back by purchasing Facebook points.

In the case of the Gmail, Hotmail and Yahoo versions of the scam, the attack offers what appears to be a new way to authenticate to the 3D Secure service offered through the €œVerified by Visa€ and €œMasterCard SecureCode€ programs. The 3D Secure service allows customers to create a password to protect and validate online transactions. As part of the scam, victims are told that by linking their debit cards to their Web mail accounts, any future 3D Secure authentication can be performed through Google Checkout and Yahoo Checkout.

€œThe fraudsters allege that by participating in the program the victim€™s debit card account will be protected from fraud in the future,€ blogged Amit Klein, CTO of Trusteer. €œThe victim is prompted to enter their debit card number, expiration date, security code and PIN.€

The attack against Hotmail users also ropes in 3D Secure, but with a slight twist. In this iteration, the victim is told that by registering for a free new security service, the victim can set up a 3D Secure-like password to protect their debit card from fraud. According to Trusteer, the offer states the service will prevent purchases from being made with the card online unless the Hotmail account information and additional password are provided.

None of the attacks compromises the 3D Secure service or authentication mechanism; instead, the attackers rely on the trust customers have in Visa and MasterCard.

€œThe scams exploit the trust relationship between users and these well-known service providers, as well as the Visa and MasterCard brands, to steal users€™ debit card data,€ Klein noted.

€œThis attack is a clever example of how fraudsters are using trusted brands€“social network/email service providers and debit card providers€“to get victims to put down their guard and surrender their debit card information,€ Klein explained. €œThese Web injects are well-crafted, both from a visual and content perspective, making it difficult to identify them as a fraud. It€™s also ironic how in the Google Mail, Hotmail and Yahoo scams, the fraudsters are using the fear of the very cyber-crime they are committing to prey on their victims.€