Zeus v3 Trojan Steals £675,000 From UK Bank

Cyber-criminals based in Eastern Europe have stolen £675,000 from a British bank, using a new version of the infamous Zeus Trojan that cannot be detected by traditional firewalls.

According to security researchers at M86 Security, Zeus v3 spreads through legitimate websites and online advertising to infect victims’ computers. Once the Trojan is successfully installed on a PC, it lies dormant until the user connects to their online banking page. It then transfers the user’s banking login ID, date of birth, and a security number to a command and control server, enabling the hackers to break into the account.

About 3,000 online customers of an unnamed British bank have fallen victim to the cyber-criminals since 5 July, with each losing between £1,000 and £3,000, the experts claimed. However, money transfers are only carried out if the hacked account balance is bigger than £800. M86 claims that the attack is still progressing.

Bradley Anstis, vice-president of technical strategy at M86, explained that this latest version of the malware is “extremely sophisticated”, and is able to avoid detection by using the Secure Sockets Layer (SSL) protocol to communicate with the command and control centres.

UK bank accounts targeted

Only last week, researchers at security softeware maker Trusteer uncovered a large botnet of 100,000 computers built using a different variant of the Zeus malware. Again, almost all of the infected machines were thought to be in the UK.

After infecting the computers with Zeus 2, the botnet pilfered all kinds of user data, ranging from login information for banks to credit and debit card numbers and browser cookies.

“This is just one out of many Zeus 2 botnets operating all over the world,” said Amit Klein, Trusteer’s chief technology officer, at the time. “What is especially worrying is that this botnet doesn’t just stop at user IDs and passwords. By harvesting client side certificates and cookies, the cybercriminals can extract a lot of extra information on the user that can be used to augment their illegal access to those users’ online accounts.”

The Metropolitan Police Service’s Police Central E-Crime Unit (PCeU) also recently arrested six people as part of a suspected online banking fraud. The arrests took place across London and Ireland, and concerned the theft of credit cards, as well as personal information and banking details.

It is thought that more than 10,000 online bank accounts and 10,000 credit cards were compromised in phishing attacks, and the bank account take-over fraud amounted to approximately £1.14 million, with £358,000 stolen successfully.

Cyber crime budget cuts

The UK government recently axed plans for an increase in funding to the Metropolitan Police’s cyber crime unit. With online fraud and other electronic crimes becoming increasingly commonplace, the Police Central e-crime Unit had been hoping for extra funding from the Home Office for training and equipment purposes. However the extra funding was cut as part of the coalition government’s £6 billion deficit reduction plans.

“There is concern that at the moment the cyber crime authorities are pretty pitifully funded for the level of crime that is going on,” said Graham Cluley, senior technology consultant at Sophos, speaking to eWEEK Europe last week. “I think the one thing we can be sure of is that the cyber criminals aren’t cutting their investment in this kind of crime. We are seeing more attacks than ever before. We see 60,000 pieces of new malware every single day, which is simply staggering, but that’s the level of crime that we’re seeing. So companies need to keep on top of this problem.”

Sophie Curtis

View Comments

  • Why is/are the banks in question not being named? Somebody tried to withdraw £2350.00 from my account on Saturday 6th, the first I knew of this was a letter from my bank yesterday.

  • Mark James, UK technical manager at anti virus provider ESET, said:

    "Too many internet users are apathetic or naïve when it comes to maintaining a high level of security on PC’s and internet connected devices. They are either unaware of how to maintain security or too reliant on the applications they use or sites they visit, to protect them. For example, application and software providers such as Microsoft and Adobe provide regular patches and updates to ensure vulnerabilities in their products are minimised but if users don’t install these updates when they become available, then they will remain exposed.

    "It should be best practice for all internet users to check their toolbar every time they log-in and install all updates – but many users don’t do this. For too long there has been a stigma that users avoid installing updates for fear that it will effect the smooth running of their PC – this attitude needs to change.

    "No-one expects home users to become security experts but they should make some effort to stay aware of current trends in malware and other attacks. Ultimately, protecting a PC is the user’s responsibility and no-one else’s."

  • I've been a victim of this just over the weekend. I have quite a robust anti virus software that I pay nearly 100 pounds a year for, for "total security" but still did not detect this malware!!!!!

  • The announcement of the return of Zeus is not only a demonstration of its power, but also highlights the importance of vigilance and protection against such attacks for businesses. Information confidentiality is paramount to businesses not only keeping their customers, but also maintaining a competitive advantage within their industry. Viruses such as Zeus are clearly a threat to these assets, so as such precautionary methods should be investigated. As an IT management services company (www.msc247.com), we would advise the use of a protection tool such as SentryBay which masks the key strokes and form being entered into, thus making it impossible for keyloggers etc from viewing the data being entered by customers.

  • Another comment -- from Ryan Rubin, head of information security at Protiviti:

    "There are no surprises here. Security researchers and some UK banks have been aware of the Zeus based botnets for several months now. With the wide adoption of consumer broadband services, the UK provides a fertile playing field for botnets to spread and multiply. Targeted regional attacks against consumers will continue to occur as long as the cyber criminals have an incentive to pursue this avenue of attack and software security vulnerabilities exist to give them opportunity to do so.

    “UK consumers and their bank accounts are desirable targets for financial gain, and for use as clearing accounts for money laundering. These attacks confirm that targeting the weakest link in the chain of online banking security, which is often the consumer, pays dividends in the end. Banks have been increasingly extending their security protection footprint to include their client base by offering security products and fraud tools to help them reduce the risk of a compromise.

    “However, our only long term tool for defence is raising security awareness with consumers and increasing the maturity of security controls within the consumer marketplace (which have yet to become an effective means of protection against sophisticated attacks such as these). This will continue to be increasingly important as the mainstream convergence of online banking and other e-commerce services with new technologies such as iPhones and other mobile devices take place"

  • Rather than blaming the end users for not being educated on internet security matters, I think focus should be on the banks and their (lack of) security measures. There are a number of ways in which the banks could work to keep the customers and their accounts safe, e.g. by applying behavioural technology to determine whether users are legitimate or not, and by insisting that all customers use active antivirus programs.

    Another way to go for the banks is to ensure that digital information alone is never enough to gain access to an account. It is perfectly possible – these systems are already available – for a bank to invest in a system where constantly changing offline credentials, which are only available to the account owner, are necessary for the user to verify his identity. This could be in the shape of a keycard – a piece of real, old school paper with random codes on it.

    Claus, CTO BullGuard

Recent Posts

Northvolt Mulls US Bankruptcy Protection – Report

Troubled battery maker Northvolt reportedly considers Chapter 11 bankruptcy protection in the United States as…

3 hours ago

FTC Plans Investigation Into Microsoft Cloud Business – Report

Microsoft's cloud business practices are reportedly facing a potential anti-competitive investigation by the FTC

5 hours ago

Programmer Sentenced To Five Years In Prison For Bitcoin Laundering

Ilya Lichtenstein sentenced to five years in prison for hacking into a virtual currency exchange…

7 hours ago

Hate Speech Watchdog CCDH To Quit Musk’s X

Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…

23 hours ago

Meta Fined €798m Over Alleged Facebook Marketplace Violations

Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…

1 day ago

Elon Musk Rebuked By Italian President Over Migration Tweets

Elon Musk continues to provoke the ire of various leaders around the world with his…

1 day ago