Hackers tap the power of ZeuS to target business bank accounts

The FBI, says the paper, has been tracking dozens of companies in the US whose bank accounts have been drained as a result of hackers using ZeuS to gain access to their managers' online banking credentials.

The paper asserts that organisations as diverse as Detroit-based Experi-Metal and the Catholic Diocese in Des Moines, Iowa, are reported to have lost $1.14 million between them.

According to Idappcom, the vulnerability testing specialist, the reason for the hacker diversification to business bank accounts is that they tend to have higher bank balances, as well as having several people – and therefore several sets of user credentials – to access the account online within a given business.

"Ever since ZeuS first appeared back in the summer of 2007, we have been tracking its steady progress, especially since the trojan horse was successfully modified in the spring of last year, when hackers discovered they could extend the malware's functionality through the use of extensible code and scripting", said Ray Bryant, Idappcom's CEO.

And now, he added, as a number of US firms are discovering, the malware is still very much alive and kicking, and has drained business bank accounts of several hundreds of thousands of dollars.

These bank account mules, says Bryant, are often blissfully unaware that their accounts are being used for criminal purposes, and, on receipt of an email or text message from their 'employer,' are wiring the bulk of the money onwards to the criminal's bank accounts, leaving them with their 'commission.'

The FBI statistics, he went on to say, are breath taking in terms of their diversity and the volume of money being hoovered up from business bank accounts, with 390 reported cases in the last two years, centering on attempted thefts of $220 million and actual losses of $70 million.

Bryant claims that these cases – more than one every 48 hours – are just those that have been reported in the US and are almost certainly the tip of the iceberg in terms of business bank account losses.

"As the [newspaper] says, quite correctly, with the Automated Clearinghouse in the US processing an amazing 600 transactions per second, it's almost impossible for the US banking agencies to monitor every transaction for fraud", he said.

"The big question, however, is for how long the banks and insurance companies will continue to reimburse losses due to ZeuS trojan activity, as the losses involved are bound to have had a negative effect on business insurance rates these last two years", he added.

"Businesses, as well as consumers, need to be ultra-vigilant when accessing their bank accounts online, and take every security precaution possible."


What’s Hot on Infosecurity Magazine?