Trusteer, a company that specializes in the prevention of online financial fraud, has noted a new development in the use of Zeus/SpyEye. The traditional focus of Zeus is well-known: a man-in-the-browser attack designed to steal bank account details and money while the user is logged into his or her bank account.
“There is another, less discussed, form of man-in-the-browser attack – the post transaction attack,” says Amit Klein, Trusteer’s CTO. “Post transaction attacks, as the name implies, occur after the evil deed has already been done and the account holder has closed the online banking session. These are designed to conceal illegitimate activity for as long as possible to either allow money to transfer to its final destination – uninterrupted, or continue to control the account and perform further transactions.”
Trusteer first noticed this development last year, when it discovered a Zeus configuration designed to intercept emails with specific keywords. The purpose was to hide those emails it considered to be money transfer or payment confirmation emails. Now Trusteer has found a new development: the online manipulation of account details to prevent the user from seeing anything unusual. This potentially allows stolen bank card details to be used off-line repeatedly before the victim sees anything wrong.
There are four primary steps to this type of fraud. First, the target PC has to be infected. Second, Zeus is configured to ‘steal’ the victim’s card details during an online transaction; and those details are then used for card-not-present fraud. The fourth step is the new one. When the user next logs into the bank account, Zeus will hide the fraudulent transactions and balance the totals. “As a result, the deceived customer has no idea that the account has been ‘taken over’, nor that any fraudulent transactions have taken place.”
“I predict,” concludes Klein, “that the use of post transaction attack technology will significantly increase as it enables criminals to maximize the amount of fraud they can commit using their initial investment in malware toolkits and infection mechanisms with little additional effort as it is cheap to buy and easy to use.”