Brokerage Users Target of Zeus Attacks

Charles Schwab Account Holders Targeted
Brokerage Users Target of Zeus Attacks
Security researchers have discovered Zeus isn't just targeting bank accounts; now the cybercriminals are using Zeus botnets to go after Charles Schwab investment accounts.

This revelation comes on the heels of more than 100 arrests late last month of a Zeus cybercrime gang that worked in the U.S. and Europe. Derek Manky, a project manager for cybersecurity and threat research at security vendor Fortinet, says the targets were added by sending victims fake LinkedIn messages.

A forensic analysis of the malware's file configuration showed that the attacks took money from the victims' Charles Schwab investment accounts, Manky says.

How Zeus Variant Works

After the initial infection on a PC through a fake e-mail, the Zeus malware waits for the user to log onto an online bank account. It then quietly takes in all online credentials, including user names and passwords.

The Zeus variant's attack configuration also presents the user with fake forms asking for more information to confirm they are the real Charles Schwab customer. The form requests mother's maiden name, driver's license number and employer.

The Zeus attacks, which began in late September, topped off in early October. Manky warns that more attacks should be expected because the gangs usually run the attacks in sequence. Another reason more attacks are likely, he says, is the Zeus botnet still has its command-and-control domains operating, and it continues to siphon stolen credentials from infected computers.

The targeting of investment accounts illustrates the spreading tenacles of these cybercrime gangs, says Dave Jevans, chairman of the Anti Phishing Working Group.

"In the U.S., we are seeing more corporate bank-account fraud than in the U.K.," he says. "The cybercriminals have figured out that it's easier to steal $500,000 from one business banking customer than $500 from 1,000 consumer banking customers. Online corporate-banking fraud in the U.S. is hundreds of millions of dollars a quarter."

Zeus Attacks Spreading

The spread of Zeus-related crimes has likely been fueled by the ease with which criminals can perpetrate them.

"Any amateur criminal can be up and running and launching a Zeus attack in a week or two, if that, as long as they know where to buy the Zeus kit and the associated services," says Avivah Litan, a security analyst at Gartner. One drawback: They have to pay more for sophisticated Zeus variants.

"The main hurdle for the Zeus attackers is getting their money mules lined up so that they can launder their stolen funds and move them out of the victim accounts to their own accounts," she says.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network