The indictment of nine alleged participants in a fraud scheme that involved infecting thousands of business computers with Zeus malware to steal millions of dollars shows that the malware remains a formidable ongoing threat, financial services security experts say.
The victims in the case included a Nebraska bank and a Nebraska company, according to an announcement of the indictment from federal prosecutors. The indictment was unsealed in connection with the April 11 arraignment of two Ukrainian nationals, who were recently extradited from the United Kingdom. Three other Ukrainians and a Russian have not yet been arrested; the indictment also names three other “John Doe” defendants.
“These actors are only a few of those who operate Zeus botnets out of a sea of cybercriminals who use variations to commit fraud,” says Ryan Sherstobitoff, a threat researcher at security vendor McAfee, a unit of Intel. “Zeus will always be a continuing threat, and cybercriminals will continue to use Zeus to steal money. We as an industry must be vigilant.”
Kevin Haley, security response director at security vendor Symantec, says the indictments won’t put much of a dent in the use of the malware. “Zeus is not a gang; it’s a toolkit, a very popular one used by many gangs,” he says. “While today there is one less gang, there are still plenty of others using Zeus to attack us.”
Andreas Baumhof, chief technology officer at anti-fraud vendor ThreatMetrix, says that when it comes to fighting fraud, the latest indictments are “like taking a scoop of sand out of the beach.
“The thing about Zeus is that the people who develop and distribute Zeus are not the same people who use Zeus to steal money,” Baumhof says. “Now we have a couple less people using Zeus.”
Zeus is a continuing threat because many financial institutions aren’t looking necessarily for the malware itself, says George Tubin, banking expert at anti-malware provider Trusteer. “What [banks] are trying to do is use different authentication means and different fraud prevention technologies to try to spot when fraud happens,” he says. “But very few institutions are actually trying to identify when man-in-the-middle malware [such as Zeus] is being used.”
The nine defendants in the case revealed April 11 allegedly used the malware to capture passwords, account numbers and other information necessary to log into online banking accounts, federal prosecutors say. The conspirators then used the information to steal millions of dollars from victims’ bank accounts.
The defendants allegedly falsely represented to banks that they were employees of the victim organizations and were authorized to make transfers of funds from the victims’ bank accounts, according to an announcement from the Federal Bureau of Investigation.
As part of the scheme, the defendants allegedly used money mules in the U.S. who received funds transferred over the ACH network or through other interstate wire systems from victims’ bank accounts, the FBI says. The money mules then allegedly withdrew some of those funds and wired the money overseas to conspirators.
All the defendants were charged by a federal grand jury with conspiracy to participate in racketeering activity, conspiracy to commit computer fraud and identity theft, aggravated identity theft and multiple counts of bank fraud.
McAfee’s Sherstobitoff says federal law enforcement is making progress mitigating the Zeus threat through botnet takedowns and disruption efforts. “These disruption efforts are oriented toward breaking up criminal rings who operate Zeus to steal from commercial entities,” he says.
Haley at Symantec notes: “Security technology continues to get better, and users become more aware of the social engineering tricks that attackers deploy. But the attackers do not stand still either.”
Organizations need to first identify the critical business information that must be protected and prioritize that appropriately, Haley says. Then they must implement security technology, including anti-spam technology, to mitigate the e-mail threats. “And finally, users need security awareness training,” he says.
ThreatMetrix’s Baumhof says making progress in fighting fraud is challenging because many malware attacks are so targeted. “The trick with Zeus is that it is a very flexible toolkit that you can use in many different ways,” he says. “People try to mitigate the specific attacks that they are being attacked with, not against Zeus. People are protecting against cuts and not against the Swiss Army knife.”
To fight attacks that use Zeus, banks need to ensure more data is available to systems that assess risk, Baumhof says. And that includes information about end users’ devices. “How can a bank make a good decision regarding whether or not a particular transaction is valid if there is no visibility into the endpoint?”