A malware campaign targeting Facebook, Google Mail, Hotmail and Yahoo user debit card data has been linked to the infamous Zeus Trojan.
Zeus is one of the most prevalent pieces of financial malware on the Web. During the past several years, Zeus variants have been linked to major criminal operations around the globe, including one that prompted the FBI to issue a warning in January. In that case, a variant known as Gameover was observed stealing password and user name information for financial institutions.
According tosecurity firm Trusteer, the attack uses a peer-to-peer version of Zeus and varies slightly from site to site. In the Facebook version of the attack, the malware uses Web injection to present victims with a fake 20 percent cash-back offer if they link their Visa or MasterCard debit card to their Facebook account. The victim is then prompted to enter their debit card number, expiration date, security code and PIN and told that that once they register their information, they can earn cash back by purchasing Facebook points.
In the case of the Gmail, Hotmail and Yahoo versions of the scam, the attack offers what appears to be a new way to authenticate to the 3D Secure service offered through the Verified by Visa and MasterCard SecureCode programs. The 3D Secure service allows customers to create a password to protect and validate online transactions. As part of the scam, victims are told that by linking their debit cards to their Web mail accounts, any future 3D Secure authentication can be performed through Google Checkout and Yahoo Checkout.
The fraudsters allege that by participating in the program the victims debit card account will be protected from fraud in the future, blogged Amit Klein, CTO of Trusteer. The victim is prompted to enter their debit card number, expiration date, security code and PIN.
The attack against Hotmail users also ropes in 3D Secure, but with a slight twist. In this iteration, the victim is told that by registering for a free new security service, the victim can set up a 3D Secure-like password to protect their debit card from fraud. According to Trusteer, the offer states the service will prevent purchases from being made with the card online unless the Hotmail account information and additional password are provided.
None of the attacks compromises the 3D Secure service or authentication mechanism; instead, the attackers rely on the trust customers have in Visa and MasterCard.
The scams exploit the trust relationship between users and these well-known service providers, as well as the Visa and MasterCard brands, to steal users debit card data, Klein noted.
This attack is a clever example of how fraudsters are using trusted brandssocial network/email service providers and debit card providersto get victims to put down their guard and surrender their debit card information, Klein explained. These Web injects are well-crafted, both from a visual and content perspective, making it difficult to identify them as a fraud. Its also ironic how in the Google Mail, Hotmail and Yahoo scams, the fraudsters are using the fear of the very cyber-crime they are committing to prey on their victims.