Friday, May 18, 2012

Zeus Variant Using Fake Cash-Back & Fraud Protection Offers to Steal Debit Card Information

Trash those fake offers from Zeus TrojanAre you being prompted to enter your debit card information to redeem special rebates or enable fraud protection features when you visit Facebook or try to login to your Gmail, Hotmail or Yahoo account?

Your system is likely infected with Zeus malware.

Security researchers over at Trusteer have discovered that the latest P2P variant of the Zeus Trojan doesn’t just wait around for a user to login to their online bank account to snatch their login credentials or inject a web form to obtain whatever financial information the cybercrooks behind it are after.

Instead, the latest Zeus configuration attempts to leverage visits to the most popular sites into a case of debit card data theft.

How? By dangling bogus CashBack and –ironically enough– fraud protection offers in front of users whenever they visit Facebook, Gmail, Hotmail or Yahoo to get them to hand over their credit card information.

Zeus Trojan Offers Facebook Users 20% CashBack on Facebook Credit Purchases

When a user goes to satisfy their Facebook fix, Zeus will inject a page offering the user to link their debit card to their Facebook account to earn 20% CashBack on all Facebook Credit purchases:
Apply Now!
Link your Debit card to your facebook account. Transfer Facebook Credits to your bank account is now available! Earn up to 20% CashBacK purchasing Facebook Credits with your MasterCard or Visa Debit Cards.

[Credit Card Information Fields Here]

*Your Debit Card pin is ONLY used for verification purposes! It activates CashBack option. Never disclose your Debit PIN to anyone, including family and friends. Your Debit PIN is confidential and is for your use online.

Pretty sneaky stuff, huh?

Zeus Offers Fraud Protection to Gmail, Hotmail & Yahoo Users... as it Helps Cybercrooks Commit Fraud

Should a user attempt to check their Gmail, Hotmail or Yahoo inbox on a system infected with the Zeus variant in question, they’ll be presented with a fake page offering to protect them from fraud by utilizing the security features under the Verified by Visa or MasterCard SecureCode programs.  Talk about a cruel irony.

Here’s the sales pitch presented to Gmail users:

Gmail page injected by Zeus Trojan
Screenshot Credit: Trusteer

We are glad to offer you participate in our brand new processing system created jointly with Verified by VISA, MasterCard SecureCode and Google Checkout.

Link your Debit card right now with your Google Mail Account and pay simply, securely at more than 3,000 stores online, starting January 1 2012. All you need to do is activate your card. Then, whenever you submit an order at a participating online store, Google checkout window will appear automatically. Enter your password, submit, and that’s it. Once activated, your card number cannot be used without your personal password for online purchases.

The spiel for Yahoo Mail is nearly identical - just swap out the Google name for Yahoo.

Meanwhile, Hotmail users are told they can connect their card to their Hotmail account, which will somehow magically stop purchases made without providing your email address and assigned password:
Windows Live Inc. is concerned about the online security of its customers and as a result wants to ensure we’re doing all we can offer you as much protection as possible. Brand new free service allows you to set-up an Online Password at your Debit Card against unauthorized use through the Internet. After your Debit Card is “linked” to your e-mail address, no one will be able to use it without your Personal Password and access to your e-mail. It’s 100% secure fast and easy. Apply now and get absolute unauthorized charges protection, it’s compensated in full.

Of course, should a user make the mistake of falling for any of the offers outlined above, all of their billing information will be sent over to the cybercrooks behind the Zeus variant, who will either sell the information to the highest bidder or use it to buy whatever it is their little black heart’s desire.

“This attack is a clever example of how fraudsters are using trusted brands – social network/email service providers and debit card providers – to get victim’s to put down their guard and surrender their debit card information.” Trusteer’s CTO, Amit Klein wrote, “These webinjects are well crafted both from a visual and content perspective, making it difficult to identify them as a fraud.”

Always think twice before entering your personal or billing information and when in doubt, do a little research.

Zeus is often spread via malicious email file attachments and drive-by-downloads, so don't download any files attached to suspicious looking emails, always use antivirus software and keep your system's operating system up-to-date.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

No comments:

Post a Comment