The attacks on UK online bank customers just keep coming. This time security company M86 Security has uncovered evidence that the Zeus Trojan recently broke into the accounts of around 3,000 customers at a major high street bank, stealing over $1million.
As with a number of recent busts of Zeus (aka Zbot) command & control servers, M86 Security discovered the UK account details on a server in a small East European country, culled using Zeus v3 after targeting customers of a single institution.
Close to £675,000 ($1.064 million) are said to have been taken from account holders at the bank between 5 July and 4 August.
A worrying picture is now emerging of a concerted series of targeted – and obviously successful - attacks on a wide range of banks in the UK and beyond throughout the spring and summer of this year.
Last week, another security company, Trusteer, warned that 100,000 PCs in the UK alone had been found to be infected with versions of the Zeus Trojan, almost none of which appeared to be detectible by a range of antivirus programs.
Only a few weeks before that, Zeus was said to have attacked customers of 15 US banks using the Verified by Visa and MasterCard SecureCode credit card ‘card not present’ verification systems.
The attack has a number of concerning elements beyond the immediate losses, starting with the tardy response of the bank concerned. According to Bradley Anstis, VP of technical strategy at M86 Security, the bank seemed to have no clear procedure for a security company to inform them of what was a serious situation.
“It took us a week to find the right people,” he said.
According to the detailed white paper put out by M86 Security on the attack [PDF], criminals were also able to build the attack with the Phoenix and Eleonore Exploit Kits to target software vulnerabilities in common applications such as Adobe Reader, Internet Explorer, and Java.
Some of the vulnerabilities aimed at by Eleonore go back to 2006, 2007, and 2008, although one is as recent as this year. It looks from this as if patching has at least some influence on how vulnerable a consumer is to Zeus.
Visitors with the vulnerabilities unpatched would have encountered the Trojan through ads embedded on innocent-looking websites, including some apparently based in the UK. In M86’s analysis, few antivirus products could have stopped the obfuscated attacks, which raises the question of how UK consumers can protect themselves, if at all.
The company has its own hosted services to push, of course, but Anstis also recommended the use of sandboxed and virtualised browsers as one option. These isolate the browsing session from external capture, or at least do so at present. Longer term, it is clear that banks will have to introduce extra layers of authentication and fraud control.