A new version of the Zeus trojan has robbed £675,000 from a UK bank.
During July, more than 3,000 customer accounts were compromised using the trojan at one unnamed bank, according to a report from M86 Security, which uncovered the scale of the theft after cracking into the criminals’ command and control server.
The third version of the Zeus trojan isn’t only harvesting data, but actually performing illegal banking transactions. M86’s chief security architect, Mark Kaplan, said the attack was unique because “it actively steals money and not only gathers username or passwords”.
It actively steals money and not only gathers username or passwords
M86 said the trojan watches as banking customers login to their accounts, and checks to see if they have sufficient funds. If their account holds more than £800, the trojan transfers money to a mule account. The mules are valid accounts held by real banking customers, but compromised by the criminals to transfer money and cover their tracks.
The attackers used the Eleonore exploit kit – which can be bought online for a few hundred dollars – to take advantage of flaws in software such as Adobe and Internet Explorer to install the trojan after users visit a malicious web page. M86 said the command server for the scheme appeared to be based in Eastern Europe.
Kaplan said his firm had passed the details of the case to the police, saying the attacks are likely still happening. “As far as we know, it is still going on,” he said. “However, the bank and law enforcement agencies are managing the situation now.” M86 would not name the bank involved.
To avoid being hit by the attack, Kaplan advised online banking customers to set up text or email alerts to keep an eye on transactions, and to ask their bank to disable the ability to transfer money to third parties.
As the attackers are taking advantage of flaws in Adobe software, he advised using a different PDF reader. “I am not saying that those won’t have any vulnerabilities, but at least they are less exposed,” he said.
Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.
