It’s been called the ‘second bank crisis’, and this time the cause is a piece of malware so potent it can steal money from online bank accounts with apparent impunity.
It’s name is Zeus (or Zbot) and it’s mighty clever. Rather like the investment bankers of unpopular lore, it does what it does quietly, behind the wall of bank secrecy, and so almost nobody has heard of it.
If a gang walked through the front door of a bank branch and made off with tens of millions, it would be front page news and yet even today’s widely-reported arrest of 19 people accused of being involved with using Zeus to hack online accounts still feels like a passing curiosity. And this is only the latest in a long line of incidents.
It shouldn’t be. Zeus has been attacking UK, US and European bank account holders for some time now, and its success tells us that something is profoundly wrong.
Beyond the headlines, what can be done to fight Zeus and other similar targeted malware of the near future?
Stop kidding ourselves that antivirus software is reliable enough to use as a sole defence against targeted malware. There is plenty of evidence that Zeus can get round almost all popular AV programs using polymorphic variants.
Promote second-line security software such as the Trusteer Rapport browser plug-in (Zeus does its work inside browsers), or go even further and embrace virtualised browsers run from media such as USB sticks. There are plenty of options around but we need more choices.
Banks should wake up and start promoting such security as a requirement of using online banks. They could also perform remote scans on user’s PCs, refusing to hook up to people daft enough to stick with high-risk browsers such as IE 6, still used by a surprising number of people.
The final layer of the defence system is good policing of the sort that led to today’s and last month’s Zeus-related arrests. The vulnerability of Zeus is not technical but human. The people wielding from it leave traces of their actions and that is where e-crime needs to attacked more often..
But high-tech coppery will never be enough on its own because they can’t fight a labyrinth of gangs with limited resources. Consequently, banks need to stop hiding this problem behind a wall of secrecy. The industry needs to learn from the problems of other institutions and intelligence needs to be shared in real time. The bank industry needs an incident response team, probably a global one.
Until some or all of the above goes happens, let’s take it as read that today’s Zeus bust will not be the last and its victims will continue to mount.