The Zeus 2.1.0.8 botnet, the most sophisticated version of the Zeus malware, injects a man-in-the-middle pop-up for users with infected computers visiting the legitimate site of the retailer, according to Amit Klein, chief technology officer at internet security firm Trusteer. So far, only Macy’s and Nordstrom have been targeted, “but we expect this to be a growing tend”, he told Infosecurity.
Klein said that the pop-up asks for credit card information, social security number, mother’s maiden name, and date of birth as an “extra security” measure. “Presumably these pieces of information together allow the criminal to conduct fraud”, he said.
The user’s computers can be infected by the Zeus botnet in a number of ways: “drive-by downloads, bogus emails from IT department asking to install security upgrades, infected USBs, anything and everything that may run code on your machine can and is probably used to distribute” the Zeus malware, he said.
Over the last few years, Zeus malware has been used by thousands of criminals to scam perhaps hundreds of millions of dollars form banking customers around the globe, according to security experts.
The Zeus attack against US retailers is a type of attack known as card-not-present (CNP) fraud, which refers to a transaction when a credit card is not physically present, such as an internet, mail, or phone transaction, Klein explained in a recent blog. Because of the increased risk for such transactions, credit card companies often charge retailers higher fees for CNP transactions. In addition, retailers are usually held responsible for CNP fraud, so they need to take extra precautions against fraud exposure and losses.
Klein advised retailers to add an additional layer of security to prevent these types of attacks. “Retailers should understand now that they are targeted [and] can no longer restrict their protection to their own websites and networks. They need to reach out to their users and extend their security into the user’s desktop”, he said.
Retailers need to realize that their websites are being used to conduct fraud against other companies and other websites, he said. “It becomes even more important to protect the integrity of the user’s session….regardless of whether the information gathered is used to conduct fraud against that business itself. If that information can be collected to be used elsewhere to indirectly attack the card company or to defraud card holders, then it is still a problem for the card issuer”, he said.
Klein warned that Zeus is not going away, but appears to be getting more sophisticated. “From the technical perspective, they kept adding features and functions to the malware….Things are definitely going to get worse.” This is a real threat to online banking and e-commerce, he warned.