Brokerage Users Target of Zeus AttacksCharles Schwab Account Holders Targeted
This revelation comes on the heels of more than 100 arrests late last month of a Zeus cybercrime gang that worked in the U.S. and Europe. Derek Manky, a project manager for cybersecurity and threat research at security vendor Fortinet, says the targets were added by sending victims fake LinkedIn messages.
A forensic analysis of the malware's file configuration showed that the attacks took money from the victims' Charles Schwab investment accounts, Manky says.
How Zeus Variant Works
After the initial infection on a PC through a fake e-mail, the Zeus malware waits for the user to log onto an online bank account. It then quietly takes in all online credentials, including user names and passwords.
The Zeus variant's attack configuration also presents the user with fake forms asking for more information to confirm they are the real Charles Schwab customer. The form requests mother's maiden name, driver's license number and employer.
The Zeus attacks, which began in late September, topped off in early October. Manky warns that more attacks should be expected because the gangs usually run the attacks in sequence. Another reason more attacks are likely, he says, is the Zeus botnet still has its command-and-control domains operating, and it continues to siphon stolen credentials from infected computers.
The targeting of investment accounts illustrates the spreading tenacles of these cybercrime gangs, says Dave Jevans, chairman of the Anti Phishing Working Group.
"In the U.S., we are seeing more corporate bank-account fraud than in the U.K.," he says. "The cybercriminals have figured out that it's easier to steal $500,000 from one business banking customer than $500 from 1,000 consumer banking customers. Online corporate-banking fraud in the U.S. is hundreds of millions of dollars a quarter."
Zeus Attacks Spreading
The spread of Zeus-related crimes has likely been fueled by the ease with which criminals can perpetrate them.
"Any amateur criminal can be up and running and launching a Zeus attack in a week or two, if that, as long as they know where to buy the Zeus kit and the associated services," says Avivah Litan, a security analyst at Gartner. One drawback: They have to pay more for sophisticated Zeus variants.
"The main hurdle for the Zeus attackers is getting their money mules lined up so that they can launder their stolen funds and move them out of the victim accounts to their own accounts," she says.