Zeus Variant Targets U.S. AccountsFBI Warning Reiterates Citadel Malware Threats
Banking institutions need to take action to thwart the latest generation of targeted ransomware and malware attacks that hijack computer operating systems and launch keyloggers to steal online banking credentials and other financial information.
The attacks, fueled by the Zeus malware variant known as Citadel and the drive-by virus known as Reveton, serve up ransomware that is targeted and convincing, the Federal Bureau of Investigation warned in an Aug. 17 alert.
To help thwart these attacks, financial institutions should enhance their back-end fraud-prevention systems and processes, says Avivah Litan, a financial fraud analyst at the consulting firm Gartner Inc. "So even if user endpoints are infected with malware, the malware is stopped from taking over the customer accounts," she says.
Banks and credit unions also should work to build awareness of malware threats among their customers and members, Litan advises. Quick detection and removal of any type of malware is critical, she notes. Plus, businesses should use dedicated and locked down computers, preferably desktop PCs, for all online-banking transactions, "if they want to keep their assets safe from online account takeover," Litan says.
A Formidable Threat
In July, the FBI and numerous security researchers started issuing warnings about Citadel and Reveton. Security blogger Brian Krebs and others, including Andreas Baumhof of online security vendor ThreatMetrix, have pointed out that ransomware attacks, which aim to extort funds under false pretenses, while not new, remain a formidable threat.
"So the biggest news here is that Trojan writers are still very, very active and that there are more and more different Trojans out there," Baumhof says. "It's important that people don't just focus on Zeus or Spyeye. It's important that we focus on providing a solution to businesses and consumers that protects them regardless of the type of Trojan."
But Citadel is a particularly powerful Zeus variant.
Hackers using Citadel hijack victims' computers with drive-by downloads - websites that automatically install malware that overtakes the machines. Once launched, the malware freezes the computer, and in the case of recent U.S. attacks, displays a message or warning that the user has violated some federal law. Often, the message appears to come from the FBI, declaring the user's IP address has been identified as one that has visited websites featuring child pornography and/or other illegal content.
In order to unlock the computer, the user is asked to pay a fine to the U.S. Department of Justice using a prepaid money card service; but, of course, the message is a scam.
A New Twist
What makes these latest attacks so threatening, Litan says, is that while the end-user's computer is frozen, Citadel continues to run in the background, and - via embedded keyloggers - captures personal information and online-banking credentials to commit online banking and credit card fraud.
"Users may think they have removed the malware from the machine, but it remains on the endpoint long after they think they removed it, and it continues to steal user credentials and other sensitive information," Litan says. "Also, it's unique in that it encrypts users' workstation data and won't decrypt it until the hackers' ransom is paid. Many innocent victims will pay to get their data and files back, as they generally do not back them up in a timely fashion."
Ransomware attacks, while prevalent in Europe, are relatively new to the U.S. Because U.S. online users in are not so familiar with these attacks, they're more likely to fall victim, and, thus, have proven easy prey.
"I don't think the attack methods are unique from traditional keylogger and Zeus methods," Litan says. "But what is lethal here is the combination and packaging of various tried-and-true hacking techniques."
Angel Grant, who oversees product marketing for RSA's banking authentication and transaction protection solutions, says more consumer education about cyberthreats is the best defense against the attacks. "The FBI has recently been involved with several high-profile shutdowns that made the average individual aware of everyday cybercrime," she says.
Grant also says Citadel and Reveton are especially concerning because of how quickly fraudsters have been able to adapt them for targeted attacks. "What makes them dangerous is the pace of evolution," she says. "As soon as one variant is detected and mitigated, another evolves. Just in Q2 2012, the Citadel Trojan was responsible for one out of every five Trojan attacks analyzed by RSA."
The Internet Crime Complaint Center - a partnership between the FBI and the National White Collar Crime Center - and the FBI last week reminded consumers that all suspicious activity should be reported to IC3.
They also recommend that consumers should:
- Stay abreast of identified attack methods by regularly visiting IC3's website for updates about Citadel;
- Contact a computer expert to ensure malware, if present, is removed;
- Never pay money or provide personal information to any suspicious entity online; and
- Note that even if they successfully unfreeze their computer, malware, especially a keylogger, may still be present and operating in the background.
FBI spokesman Darrell Foxworth says banking institutions also should provide training for their employees to help them more quickly identify suspicious transactions, including withdrawals and wire transfers. "We hope that by sharing this information with the media it will reach all segments of the population," Foxworth says.