19 Nabbed in Zeus-Based ScamAnalysts: London Attack Is Just the Beginning
Police say that for the last three months the accused criminals, 15 men and four women, infected the customers' computers with a Trojan computer virus known as Zeus, designed to steal banking credentials from unsuspecting users. The $9 million taken may go higher as the investigation continues. Another 37 arrests in the U.S. happened on Thursday.
In November, Scotland Yard arrested a man and a woman in Manchester after they were accused of infecting computers with malware similar to Zeus. At the time, police said the two were the first people to be arrested on suspicion of using this type of malware to steal money from bank accounts. Police and malware researchers warn that Zeus, also known as Zbot, is a worldwide threat. It's attacks have increased in number, and the sophistication of attacks is increasing as well.
In May, the Anti Phishing Working Group released a report showing that Avalanche, the same electronic crime syndicate behind two-thirds of the phishing attacks detected in the last half of 2009, was linked to a rash of incidents targeting small and mid-size businesses. Avalanche successfully targeted some 40 banks and online service providers, as well as vulnerable or non-responsive domain name registrars and registries. The individuals and businesses were hit with the Zeus Trojan, which was embedded in the phishing e-mails. Businesses that were attacked then became victims of fraudulent automated clearing house and wire transactions, as the criminals posed as employees of the business, moving thousands of dollars to overseas locations.
More Zeus to Hit Here?
The London case has financial institutions on high alert and for good reason. "I'm seeing banks take this attack very seriously and many are implementing much stronger security measures than they had just one year ago," says Avivah Litan, a security analyst at Gartner Inc., adding that the banks don't want to damage relationships with customers, especially large corporate customers.
The same Zeus Trojan and its variants have been used in attacks against corporate account-holders here in the United States, stealing millions of dollars through fraudulent ACH and wire transfers. A long list of small and mid-sized businesses, municipal governments and even religious organizations were hit using Zeus to steal online banking credentials. Litan says she doubts the same crime ring that launched its Zeus attack in London is linked to any of the Zeus attacks that have hit U.S. business, but that just proves that Zeus attacks are proliferating, she says. "It could very well be that this gang is unrelated to the gangs attacking U.S. banks and their customers," Litan says.
Dave Jevans, chairman of the Anti Phishing Working Group, says this is a portent of things to come. "In fact, in the U.S., we are seeing more corporate bank-account fraud than in the U.K.," he says. "The cybercriminals have figured out that it's easier to steal $500,000 from one business banking customer than $500 from a thousand consumer banking customers. Online corporate-banking fraud in the U.S. is hundreds of millions of dollars a quarter."
The spread of Zeus-related crimes has likely been fueled by ease with which criminals can perpetrate the crime. "Any amateur criminal can be up and running and launching a Zeus attack in a week or two, if that, as long as they know where to buy the Zeus kit and the associated services," Litan says. One drawback: They just have to pay more for sophisticated Zeus variants. "The main hurdle for the Zeus attackers is getting their money mules lined up so that they can launder their stolen funds and move them out of the victim accounts to their own accounts," she says.
Jevans says criminals need to be operationally sophisticated, but not technically sophisticated. Zeus and other crimeware kits are available online. "Where the criminals need sophistication is in the money-mule networks to transfer funds out of the country without risking the authorities detecting who the money is going to," he says.
Jevans says financial institutions need to revisit their corporate-banking security postures and procedures. "We see banks implementing a dual strategy: increased controls and detection at their servers and deployment of secure endpoints and strong authentication to customers," he says. The National Automated Clearing House Association and the Federal Bureau of Investigation have issued guidelines to banks about how to protect business-banking endpoints, and banks and technology vendors are racing to find solutions to the problem in line with those recommendations.