Zeus Malware: A Continuing Threat

Indictment of Nine Highlights Fraud Risk

By , April 15, 2014.
Zeus Malware: A Continuing Threat

The indictment of nine alleged participants in a fraud scheme that involved infecting thousands of business computers with Zeus malware to steal millions of dollars shows that the malware remains a formidable ongoing threat, financial services security experts say.

See Also: Automate and Standardize your IAM to Radically Reduce Risk

The victims in the case included a Nebraska bank and a Nebraska company, according to an announcement of the indictment from federal prosecutors. The indictment was unsealed in connection with the April 11 arraignment of two Ukrainian nationals, who were recently extradited from the United Kingdom. Three other Ukrainians and a Russian have not yet been arrested; the indictment also names three other "John Doe" defendants.

"These actors are only a few of those who operate Zeus botnets out of a sea of cybercriminals who use variations to commit fraud," says Ryan Sherstobitoff, a threat researcher at security vendor McAfee, a unit of Intel. "Zeus will always be a continuing threat, and cybercriminals will continue to use Zeus to steal money. We as an industry must be vigilant."

Kevin Haley, security response director at security vendor Symantec, says the indictments won't put much of a dent in the use of the malware. "Zeus is not a gang; it's a toolkit, a very popular one used by many gangs," he says. "While today there is one less gang, there are still plenty of others using Zeus to attack us."

Andreas Baumhof, chief technology officer at anti-fraud vendor ThreatMetrix, says that when it comes to fighting fraud, the latest indictments are "like taking a scoop of sand out of the beach.

"The thing about Zeus is that the people who develop and distribute Zeus are not the same people who use Zeus to steal money," Baumhof says. "Now we have a couple less people using Zeus."

Zeus is a continuing threat because many financial institutions aren't looking necessarily for the malware itself, says George Tubin, banking expert at anti-malware provider Trusteer. "What [banks] are trying to do is use different authentication means and different fraud prevention technologies to try to spot when fraud happens," he says. "But very few institutions are actually trying to identify when man-in-the-middle malware [such as Zeus] is being used."

Zeus Scheme

The nine defendants in the case revealed April 11 allegedly used the malware to capture passwords, account numbers and other information necessary to log into online banking accounts, federal prosecutors say. The conspirators then used the information to steal millions of dollars from victims' bank accounts.

The defendants allegedly falsely represented to banks that they were employees of the victim organizations and were authorized to make transfers of funds from the victims' bank accounts, according to an announcement from the Federal Bureau of Investigation.

As part of the scheme, the defendants allegedly used money mules in the U.S. who received funds transferred over the ACH network or through other interstate wire systems from victims' bank accounts, the FBI says. The money mules then allegedly withdrew some of those funds and wired the money overseas to conspirators.

All the defendants were charged by a federal grand jury with conspiracy to participate in racketeering activity, conspiracy to commit computer fraud and identity theft, aggravated identity theft and multiple counts of bank fraud.

Tackling Zeus

McAfee's Sherstobitoff says federal law enforcement is making progress mitigating the Zeus threat through botnet takedowns and disruption efforts. "These disruption efforts are oriented toward breaking up criminal rings who operate Zeus to steal from commercial entities," he says.

Haley at Symantec notes: "Security technology continues to get better, and users become more aware of the social engineering tricks that attackers deploy. But the attackers do not stand still either."

Follow Jeffrey Roman on Twitter: @gen_sec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Ferry Company Reports Card Breach

Payment card transactions conducted at the Cape May-Lewes Ferry in Delaware were compromised by...

Latest Tweets and Mentions

ARTICLE Ferry Company Reports Card Breach

Payment card transactions conducted at the Cape May-Lewes Ferry in Delaware were compromised by...

The ISMG Network