Digital Transactions Authoritative, insightful and timely information for payments professionals
Cybercriminals have introduced a new version of a notorious malware threat that is not only harder to detect but also more capable of stealing card numbers, PINs, and other sensitive information.
This latest variant of the so-called Zeus Trojan malware includes a change that makes it virtually invisible to programs designed to detect such bugs, according to ThreatMetrix Inc., the Santa Clara, Calif.-based security-technology company that discovered the variant in April and this week released a white paper on the matter. The change, which occurred in the peer-to-peer version of the Trojan, involves a new encryption algorithm for its configuration file. “This small but crucial change will make all automatic detection routines fail (our own as well as anyone else’s),” the white paper reports. Since financial institutions and other companies targeted by hackers rely on decryption of malware configuration files to understand how criminals are attacking a site, the change in encryption is “disturbing,” according to the paper.
Adding to the sense of alarm is that the variant includes a number of other updates, including an ability to lurk undetected until after a consumer has logged into apparently normal Web sites. After the log in, the malware interposes a page asking for confidential information. The ThreatMetrix paper looks at four scenarios in which this can happen, including sites for social-media networks, financial services companies, major retailers, and payment processors.
On social networks, for example, a page might appear after log-in promoting cash back if the user enters a debit card number and links it to the network. In a case involving an unnamed department store, the Trojan waits until the user is ready to check out, then produces a pop-up window asking for the user’s loyalty card information on the pretext that the card number entered “does not match our records” and needs to be re-entered, the white paper says.
ThreatMetrix says the P2P version of Zeus is the most active in terms of developer activity, and so the company is not surprised to find the latest updates in that version. But that doesn’t make the threat any less ominous. “Today’s cybercriminals are rapidly evolving to surpass some of the most advanced malware and cybercrime automatic detection routines,” said Andreas Baumhof, chief technology officer at ThreatMetrix, in a statement. “The latest Zeus variant catches victims off-guard by waiting to attack until after a Web site’s log-in page appears to be functioning normally. After the victim logs in, the Zeus Trojan attempts to steal confidential information.”
Authorities have enjoyed some success in recent months in combating the Zeus malware by attacking the servers that spread the virus. In March, U.S. Marshals working with Microsoft Corp. raided so-called command-and-control centers in Lombard, Ill., and Scranton, Pa., that were allegedly using the Zeus Trojan to control networks of computers to pump out tens of millions of phishing e-mails.
