Components of ZeuS attacks spreading to social networks, smartphones

Spyeye promo

The rising tide of spam inundating Facebook, Twitter and YouTube can no longer be considered a harmless irritant — the negligible harmless price you pay for using those popular free services.

A rising percentage of spammed messages and posts flooding the top social networks are carrying mule recruiting lures and ZeuS Trojan infections specifically designed to help cyber gangs carry out coordinated, large-scale pilfering from online banking accounts.

It takes a village to pull off coordinated, multi-million dollar online banking heists, as we now know in vivid detail thanks to  the recent bust-up of the Ukraine-based cyber gang by UK and U.S. law enforcement. It begins with many specialist accomplices  spreading their lures and infections via email, social networks and now smartphones.

That’s the upshot of fresh research just in from  CA Technologies, AppRiver,  Fortinet  and the University of Alabama at Birmingham.

Why should you care about the accelerated rate at which  viral spam is spreading through social networks and now onto smartphones?

These tainted messages and posts represent the initial tentacles of elaborately-staged attacks designed to crack into your online banking accounts. Small organizations are being specially targeted and they are losing crippling amounts, as LW reported in this Dec. 31 cover story, and as the recent bust of the UK – US cyber robbery gang shows.

The FBI says this one gang alone atttempted fraudulent transfers of $220 million and successfully got their mitts on $70 million. Most of this came from targeting PCs used by the financial managers at small businesses, churches, local governments and non-profits.  Keep in mind there are probably a dozen or so gangs of this caliber operating, as well as hundreds of smaller thieves probing online bank accounts, says Don Jackson, senior threat researcher at cyber forensics firm SecureWorks.

Also keep in mind that you, the individual consumer, are also being targeted, as LW reported in this July 30 cover story. Most consumers get made whole by their banks. But the hassle is unnerving, and once your account has been hacked, the bad guys have much of what they need to do it again.

Thriving crimeware market

Now from CA Technologies comes this report outlining the rich, diversified “crimeware” market. In the cyberunderground, anyone can buy powerful software toolkits that enable non-technical folks to swamp Twitter and Facebook with viral posts and messages. The goal: amass stolen account logons and/or take control of infected PCs .

Similarly, anyone can buy tools to spread turn-key spam all ready to go with messages crafted to recruit “money mules,” the key accomplices in million dollar money laundering operations. All of this takes place in a thriving cyberunderground that strictly follows the basic laws of supply and demand.

“Crimeware isn’t new, but the extent to which a services model has now been adopted is amazing,” says Don DeBolt, director of threat research, Internet Security, CA Technologies.

Low risk, high payoffs


Crimeware may not be new. But it clearly is being deployed at unprecedented levels, says Gary Warner, Director of Research in Computer Forensics The University of Alabama at Birmingham Department of Computer & Information Sciences & Department of Justice Sciences

Warner tells LastWatchdog that he is continuing to see high volumes of mule recruitment email, and more targeted spam designed to flush out controllers and financial managers at small companies, local governments, churches, schools and non-profits.

“The volumes are quite high,” says Warner. “That tells me that our round of arrests, while large, clearly has not changed the message of cybercrime which is that risks are low and the payoffs are high.”

Most of the charges and arrests in the FBI’s and Scotland Yard’s recent big bust were of mules and mule handlers.

“Even in this case, the mules are bearing the brunt of the arrests while very few highly-ranked criminals have been brought to justice so far,” says Warner. “Some highly ranked folks, in the Ukraine for instance, have been arrested, and these are significant arrests and great success stories, but we need to do that about a thousand more times before the criminals are going to believe we are serious about crime.”

Most recently, spammers have been directly deploying ZeuS and other banking Trojans via email attachments that arrive as spam purporting to be a job application or a job offer.

Spyeye competes against ZeuS


The ZeuS banking Trojan, created and maintained by the Russian hacker known as A-Z, remains the hottest piece of crimeware out there. However, an upstart rival, called Spyeye, is gaining popularity, says DeBolt.

Banking Trojans are customizable programs efficient at silently stealing from your bank account while you are logged on doing your daily online banking.

Like ZeuS, Spyeye steals your banking log-in credentials, disables antivirus protection, hides itself from detection and creates hooks that gives the controller several routes to take over full control of your PC.

Older ZeuS crimeware kits still fetch around $4,000, while the latest Spyeye kits are available for $500, although with new plugins, the price easily rises to $2,000. What’s more, Spyeye can be programmed to eliminate and replace any ZeuS infection it runs across, says DeBolt.

Smartphone vector


Banking Trojans infest the Internet enabling cyberrobbers to pilfer with near impunity from the online banking accounts of countless companies and individuals. Because of the money to be made, it’s not surprising that cyber criminals appear to be on the verge of spreading banking Trojans on a widespread basis to smartphones, says AppRiver researcher Fred Touchette.

“Malware for smartphones does currently exist, and I expect many more attacks geared toward smartphones in the future,” says Touchette.

In August, Touchette discovered a Facebook ZeuS attack with a twist. It began in typical fashion, with a swarm of emails purporting to arrive from Facebook carrying the subject line, “Reconnect with Friends.” To reveal the contents of this notification, the recipient was asked to click on a link that actually installed the ZeuS banking Trojan on the recipient’s PC.

The attack did not stop there for any Facebook member; he or she would also receive the tainted message on his or her smartphone.

The twist: when the message was accessed on the smartphone, it caused the Facebook application to launch, thereby allowing recipients to review the e-mail contents within the Facebook application itself. This made it appear less like spam and more like an official notification from Facebook, a source many people trust.

“The message came across rich with Facebook graphics giving it a legitimate look and feel of official Facebook correspondence,” says Touchette.

The phone message contained the corrupted link. However, the bad guys had programmed the ZeuS infection to install only on a PC web browser. For some reason, they did not go the extra step to configure the infection to also install on smartphone operating systems.

So anyone who got the slick smartphone version of this particular Facebook attack was in no danger of infection, says Touchette.

Even so, the attackers, whether by oversight or not, opened up a new way to attack smartphones that others are sure to take advantage of. “If the bad guys can get a link to arrive on your phone, disguised as if it’s coming from Facebook, and get you to click on it, they’ve got you,” says Touchette. “It’s just as trivial to install a banking Trojan on your smartphone, including iPhones and Droids, as it is on a PC.”

SMS attack assists ZeuS

In late September, what appears to be a different group of attackers successfully exploited smartphones to assist in a ZeuS banking heist. In this case, the bad guys pioneered a way to hijack legit text messages between banks and their customers containing a transaction authentication number, or TAN, Derek Manky, project manager for cybersecurity and threat research at Fortinet told SC Magazine.

European banks text TANs to their customers as an addition piece of authentication, above and beyond a username and password, to authorize online transactions.

According to Manky, this particular attack worked on Symbian and BlackBerry smartphones, in cases where the intended victim’s PC had already been separately infected with ZeuS.

By intercepting the TAN code, the attackers could instantly use it to execute silent cash transfers while the victim was doing other online banking.

By Byron Acohido

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone