New Zeus malware scam promises rebates, security

A new Zeus P2P malware variant discovered last week by security vendor Trusteer is attempting to scam users of some of the Internet's most popular and trusted brands -- Facebook, Google Mail, Hotmail and Yahoo -- with promises of rebates and new security measures.

In a blog post, Trusteer CTO Amit Klein ays the scams "exploit the trust relationship between users and these well-known service providers, as well as the Visa and MasterCard brands, to steal users' debit card data."

As usual, the fraudsters try to trick users into providing confidential financial information: debit card number, expiration date, security code, and PIN. On Facebook, a web inject offers a 20-percent cash back offer by linking a Visa or MasterCard debit card to their account.

What is unique about this one, Klein writes, is that "in the attacks against Google Mail, Hotmail and Yahoo users, Zeus offers an allegedly new way of authenticating to the 3D Secure service offered by the Verified by Visa and MasterCard SecureCode programs."

Trusteer's director of product marketing, Oren Kedem, says while web injects are common, this is the first time he has seen a scam try to use 3D Secure. "Many customers are familiar with it," he says, "and it has become so trustworthy that victims could see it as a plausible approach."

In this case, the lure is convenience. Victims are told that if they link their debit card to their web mail accounts, "all future 3D Secure authentication will be performed through Google Checkout and Yahoo Checkout respectively," and, of course, that they will be protected from fraud in the future, by providing their confidential information. The Hotmail attack is similar.

Users are "reassured" that, "Your Debit Card pin is ONLY used for verification purposes. It activates CashBack option. Never disclose your Debit PIN to anyone, including family and friends. Your Debit PIN is confidential and is for your use online."

Kedem says he does not know how many people have fallen for the scam, "but since this is a version of Zeus, which is the No. 1 malware out there and since just about everybody uses one of these services, there is a large number of targets." He says Trusteer has notified the companies of the new variant.

Kedem says the most common way to get infected with the Zeus malware is by "drive-by" download - simply by visiting a website with the malware present. It then takes over the user's browser when one of the targeted sites, like Facebook, is visited. He says users should take the usual precautions with any unsolicited offer they see online that asks for confidential information.

Another way to tell is to check the use of the language. While this scam uses relatively accurate English, there are mistakes. In the line about the Debit PIN, the web inject uses the lower-case "pin" one time, and capitalizes it the other two times. It also says, "It activates CashBack option," leaving out "the" before CashBack.

The Gmail web inject starts with: "We are glad to offer you participate ..." Such mangling of English, even in a minor way, should amount to a red flag.

There is little else to warn potential victims, Klein writes. "These web injects are well crafted both from a visual and content perspective, making it difficult to identify them as a fraud."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

More about FacebookGoogleHotmailVisaYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts