We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
79,818 News Articles

New Zeus malware scam promises rebates, security

A new Zeus P2P malware variant discovered last week by security vendor Trusteer is attempting to scam users of some of the Internet's most popular and trusted brands -- Facebook, Google Mail, Hotmail and Yahoo -- with promises of rebates and new security measures.

In a blog post, Trusteer CTO Amit Klein ays the scams "exploit the trust relationship between users and these well-known service providers, as well as the Visa and MasterCard brands, to steal users' debit card data."

As usual, the fraudsters try to trick users into providing confidential financial information: debit card number, expiration date, security code, and PIN. On Facebook, a web inject offers a 20-percent cash back offer by linking a Visa or MasterCard debit card to their account.

What is unique about this one, Klein writes, is that "in the attacks against Google Mail, Hotmail and Yahoo users, Zeus offers an allegedly new way of authenticating to the 3D Secure service offered by the Verified by Visa and MasterCard SecureCode programs."

Trusteer's director of product marketing, Oren Kedem, says while web injects are common, this is the first time he has seen a scam try to use 3D Secure. "Many customers are familiar with it," he says, "and it has become so trustworthy that victims could see it as a plausible approach."

In this case, the lure is convenience. Victims are told that if they link their debit card to their web mail accounts, "all future 3D Secure authentication will be performed through Google Checkout and Yahoo Checkout respectively," and, of course, that they will be protected from fraud in the future, by providing their confidential information. The Hotmail attack is similar.

Users are "reassured" that, "Your Debit Card pin is ONLY used for verification purposes. It activates CashBack option. Never disclose your Debit PIN to anyone, including family and friends. Your Debit PIN is confidential and is for your use online."

Kedem says he does not know how many people have fallen for the scam, "but since this is a version of Zeus, which is the No. 1 malware out there and since just about everybody uses one of these services, there is a large number of targets." He says Trusteer has notified the companies of the new variant.

Kedem says the most common way to get infected with the Zeus malware is by "drive-by" download - simply by visiting a website with the malware present. It then takes over the user's browser when one of the targeted sites, like Facebook, is visited. He says users should take the usual precautions with any unsolicited offer they see online that asks for confidential information.

Another way to tell is to check the use of the language. While this scam uses relatively accurate English, there are mistakes. In the line about the Debit PIN, the web inject uses the lower-case "pin" one time, and capitalizes it the other two times. It also says, "It activates CashBack option," leaving out "the" before CashBack.

The Gmail web inject starts with: "We are glad to offer you participate ..." Such mangling of English, even in a minor way, should amount to a red flag.

There is little else to warn potential victims, Klein writes. "These web injects are well crafted both from a visual and content perspective, making it difficult to identify them as a fraud."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.


IDG UK Sites

The 30 best TV shows on Netflix UK: Our pick of the best programmes you can watch right now

IDG UK Sites

Nostalgia time: Top 10 best selling mobile phones in history

IDG UK Sites

VFX Emmy: Game of Thrones work garners gong for Rodeo FX

IDG UK Sites

Apple 13-inch MacBook Pro with Retina review (2.6GHz, 128GB, mid-2014)