RSS Alerts

Share

More services

Related Links

Related Stories

  • Zeus is king of bank fraud trojan viruses
    Just like the Greek god that is its namesake, Zeus is the king of bank fraud trojan viruses, having been used by thousands of criminals to scam perhaps hundreds of millions of dollars from banking customers around the world for years. The recent busts of Zeus fraudsters in the US and the UK are just the tip of a vast underground of fraud and deception, according to information security analysts consulted by Infosecurity.
  • LinkedIn users targeted by ZeuS-based fake connection requests
    Hard on the heels of the spate of Twitter attacks comes news that LinkedIn members are being targeted by carefully crafted fake connection requests that route users to the ZeuS data-downloading malware.
  • New Zeus campaign uses FedEx notice scam
    Security firm McAfee has alerted the online community to a new Zeus botnet attack using bogus FedEx notification emails.
  • Scam targets Visa, MasterCard online verification services
    Trusteer recently warned that the Zeus (Zbot) financial malware is targeting online banking customers of 15 leading US financial institutions by exploiting two trusted credit card security programs – Verified by Visa and MasterCard SecureCode.
  • Trusteer detects rapid spread of new polymorphic Zeus trojan
    Trusteer says it has detected a completely new version of the Zeus password stealing trojan that has been designed to steal online banking credentials.

Top 5 Stories

News

Zeus trojan disguises itself as the tax man

18 October 2010

A recent attack by the Zeus trojan virus used an email and a legitimate Internal Revenue Service (IRS) website to trick users into providing sensitive tax information to cybercriminals.

The fraudulent email warned consumers that their tax payments had been rejected by the IRS and directed them to a website that was part of a large Zeus botnet. The site infected the computer and then redirected the user to the IRS’s legitimate electronic federal tax payment system (EFTPS) site. The user would type sensitive information into the EFTPS fields, while the keylogging malware on the computer recorded all of the information that was typed.

The IRS issued an Oct. 15 warning about the tax fraud scheme.

“Consumers should be aware of a scam in which recipients receive an e-mail that claims to come from the Electronic Federal Tax Payment System. The e-mail states that tax payments made by the e-mail recipient through EFTPS have been rejected. The e-mail then directs recipients to a bogus website containing malicious software (malware) that infects the intended victim’s computer. To avoid the bogus website and malware, do not click on any links, open any attachments or reply to the sender for any e-mail you may receive that claims to come from EFTPS.”

The IRS stressed that it does not communicate payment information via email.

Solera Networks said its researchers discovered the Zeus trojan after investigating a zero-day attack at one of its customer’s site.

“We discovered this in the course of an unrelated investigation of an enterprise company that we had been working with in response to an incidence they recently had. The common factor between the two of them was one of the vectors of attack – a vulnerability in Java engines that are deployed on most desktops today. Everything except the most current version of the Java engine is vulnerable to attacks against the sound subsystem within the Java virtual machine”, explained Joe Levy, chief technical officer at Solera Networks. In addition to the Java engine, the attacks can also exploit PDF software.

Levy told Infosecurity that the initial wave of the scam involved Zeus botnet websites in Russia. But many of those websites have been shutdown. The second wave, which started Oct. 15, involves websites with dot com addresses using a different registrar.

“Through an arbitrary code injection attack, [the website] delivers the Zeus botnet executable down to the target machine. Once [the malware] is installed, that is the keylogger and the Zeus botnet client. That begins to log all of the local keystrokes on the machine, and it also makes the contact to the Zeus command and control servers”, he said.

“All of this happens in the blink of an eye. So you follow the link. You are redirected off to one of the exploit sites; the exploit sites deliver some method of exploitation….After the infection occurs, it redirects the user to an actual dot gov site. So the ultimate destination of the victims, if they click on that link, is going to be a legitimate site….At this point, they have already been infected and the keystroke logger collects all of the sensitive and valuable information that they are providing to the site”, Levy explained.

Blocking this type of attack is difficult because there is usually a window during which cybercriminals are able to exploit a vulnerability before a vendor can update its software, explained Pete Schlampp, Solera Networks’ vice president of marketing and product development. “As [cyber criminals] continue to evolve, there is always going to be this window of exposure, and it is this window of exposure that they rely on to sneak in behind the set of defense that might be in place,” he said.

This article is featured in:
Data Loss  • Internet and Network Security • Malware and Hardware Security • Public Sector

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012