June 6, 2013
The Zeus virus (ZBOT), once it is downloaded to a computer, will remain dormant until the user logs into their bank account online.
The virus scans the computer for private data to be syphoned; including details about logins and passwords. Recordings of keystrokes are made to make gathering information easier.
ZBOT is spread through phishing expeditions via links that appear to be ads. Once the user clicks on them, they are automatically shared with Facebook friends.
Microsoft users are most vulnerable to this virus. It has also affected smartphone users in the past.
Fake Facebook accounts have been used to spread this virus lately.
TrendMicro states that ZBOT “variants typically arrive via spam appearing to come from legitimate sources, asking recipients to click a link.”
ZBOT is able to replace the bank website with a dummy site so that the user’s social security number and other private information can be stolen.
ZBOT has been assumed to be used by the Russian Business Network (RBN) to collect internet user’s identifies and private data.
At the end of 2012, McAfee Labs warned of a cyber-attack planned for the spring of 2013 that will steal millions of dollars from customer accounts. Thirty US banks have been named as a nameless, faceless band of “criminals” have released a Trojan virus that will remove digital currency from accounts at banks such as JP Morgan Chase & Co., Wells Fargo, Citibank and Bank of America.
The scheme is referred to as ‘Project Blitzkrieg” (PB). In a beta-testing of the assault, it is reported that 300 bank accounts were affected in the US.
The recruitment for PB is being linked to Russian cyber-criminals and an alleged cyber-mafia headed by an anonymous NSD. Those who enter into PB are tasked with infecting specified US computers with predetermined malware, cloning, syphoning passwords and login information, transferring digital information from customer accounts.
When a customer logs into the bank website, security questions are enabled to keep the customer information protected; however the Trojan will utilize a cloned version of the bank website and retain information imputed by the user to be used against them later. A version of the Gozi Trojan called “Gozi Prinimalka” is believed to have already been used to extract $5 million from banking institutions.
These anonymous cyber-criminals will slowly drain accounts with small incremental amounts without tripping off withdrawal limits.
Earlier this year, Kaspersky Lab has uncovered Operation Red October, (Rocra) a 5 year scheme by the Chinese and Russians to steal diplomatic, industrial and scientific data from Eastern Europe, North America and Asian organizations. Beginning in 2007, intelligence gathering operations were conducted in the form of attacks by cyber criminals toward Western nations. The thought is that this is in retribution on behalf of Iran for the damage caused to their country.
Kaspersky said: “The information we have collected so far does not appear to point toward any specific location; however, two important factors stand out: The exploits appear to have been created by Chinese hackers, (and) the Rocra malware modules have been created by Russian-speaking operatives.”
Rocra appears to have been controlled by 60 command-and-control servers that were held in Germany and Russia. It is suspected that there is another “mother ship” server based in an unknown location.
Some of the attacks appear to be tailor-made for the victim with an estimated 1,000 different modules that preformed specific attacks. Kaspersky explained: “For instance, the initial documents are customized to make them more appealing and every single module is specifically compiled for the victim with a unique victim ID inside (and) later, there is a high degree of interaction between the attackers and the victim. Compared to Flame and Gauss, which are highly automated cyber-espionage campaigns, Rocra is a lot more ‘personal’ and finely tuned for the victims.”
Although Kaspersky Lab admits that these attacks have not definitively been connected to China or Russia, it is assumed that the data collected would be yield a high price on the black market.
Kaspersky stated: “The information stolen by the attackers is obviously of the highest level and includes geopolitical data which can be used by nation states. Such information could be traded in the underground and sold to the highest bidder, which can be, of course, anywhere.”
Last April Group-IB, a Russian security firm, has discovered Dump Mummery Grabber (DMG) that is a malware focused on extracting data and compromising cash registers and ATMs. DMG can be used to syphon information on customer debt and credit cards from banks like JP Morgan & Chase Co., Citibank, Capital One and law enforcement agencies.
Andrey Komarov, head of international projects and CTO at CERT-GIB, said: “We have found one of the C&C servers for the following POS malware, but in fact hundreds of POS/ATMs were infected and we are still investigating this issue.”
CERT-GIB, a computer security incident response team, has partners with Group-IB to respond to:
• Denial of services attacks (DoS, DDoS)
• Unauthorized use of data processing and storage systems
• Data compromise
• Asset compromise
• Internal/external unauthorized access
• Creation and distribution of malicious software
• Breach of information security policies
• Phishing and unlawful brand use online
• Fraud with online banking and electronic payment systems
DMG is installed at the point-of-sale (PoS) and directly into ATMs with the ease of transmitting data through magnetized strips. Infarct, DMG will steal digital information from those magnetized strips, collecting data such as:
• Primary account number
• Customer full name
• Card expiration date
With the use of a USB port, the malware can have direct communication with the internet. DMG clones credit and debit cards utilizing stolen card numbers with harvested information.
Group-IB believes that the Russian cyber-criminals are involved with Anonymous; having originated in the Ukraine, Armenia, Moscow and the US. The domain address is registered to a Russian corporation named CISLAB.