While it seems that bank’s two-factor authentication mechanisms work quite securely, a new Trojan called Zeus circumvented banking authentication and looted an estimated €36 million, or $47 million, from about 30.000 European bank accounts this summer. They targeted 30 banks which are located in Italy, Germany, Holland and Spain. In order to operate their information hijacking, they used a well-known technique to trick users and that was drive-by-download.

Like similar malwares it intrigues people to click on a link in a malicious email or direct them into a compromised server and infect their computers with Zeus. This malware remains on the victims computer till the user starts an online banking session and sets a cell phone number in the profile. Instantaneously the malware send the information to the command and control server which subsequently sends a SMS massage to the user providing a link for upgrading banking software security. Clicking on the link, which seems logical to the user, would lead to downloading ZITMO Trojan(Zeus in the mobile). In this situation even the Transaction Authentication Number (TAN) which provides extra security does not work efficiently.

Although recently Check Point Versafe worked with Europeans law enforcement and Internet Service Providers to shut down the C&C servers there could be the chance for Zeus Campaign to apply a more complex attacking architecture to hide their C&C servers like what we saw in a paper earlier in this semester.

One issue is interesting about this Trojan. While two-factor authentication is not as widespread as Europe there was no reason why these kind of attacks cannot be used against American Banks (for instance by choosing Wells Fargo as a victim).

Since users often due to their lack of knowledge or unintentional mistakes are prone to do unsafe actions, we, as security guys, should control other parts of information hijacking chain to protect users. (Look at this nice figure)Based upon what has been mentioned in a paper earlier this semester we can conclude the weakest part of this chain is the bank and need to be protected by law enforcement.

References:

http://www.net-security.org/malware_news.php?id=2344

http://securitywatch.pcmag.com/none/299291-fake-android-security-app-is-mobile-zeus-malware-in-disguise

http://securitywatch.pcmag.com/none/305682-zeus-campaign-stole-47-million-from-european-banks

http://en.wikipedia.org/wiki/Zeus_%28Trojan_horse%29

This entry was posted on Friday, December 7th, 2012 at 1:29 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.