Zeus Trojan steals $1 million from U.K. bank accounts

New, dangerous combination of banking Trojan and exploit toolkit enables criminals to transfer money out of accounts while users are logged into the bank site, without them knowing it.

Elinor Mills
Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
3 min read
This illustration shows the different moving parts to the online scam.
This illustration shows the different moving parts to the online scam. M86 Security

Consumers and businesses in Great Britain have lost more than $1 million so far this summer from a Trojan that is infecting their computers, prompting them to log into their bank accounts, and then is surreptitiously transferring money to scammers in other countries, security researchers said on Tuesday.

About 3,000 bank accounts were found to be compromised at one financial institution, which was not identified, according to a white paper released by M86 Security.

The multilevel scheme uses a combination of a new version of the Zeus keylogger and password stealer Trojan, which targets Windows-based computers and runs on major browsers, and exploit toolkits to get around anti-fraud systems used at bank Web sites, the report found.

Bank sites that offer two-factor authentication, such as one-time passcodes and ID tokens, are ineffective because the malware has taken over the browser after the victim has logged into the banking site, Bradley Anstis, vice president of technology strategy at M86 Security, told CNET.

"This latest iteration of Zeus is dedicated to online banking," and is bringing malware to a new level of technical sophistication, Anstis said. The Trojan uses encrypted communications between the infected computers and the command-and-control servers and performs illegal online banking transactions," he said. M86 Security is working with law enforcement.

It appears to works similarly to the URLZone bank Trojan reported by Finjan a year ago that targeted German bank customers.

Here's how the latest online scam works.

A computer user is compromised by either visiting a legitimate Web site that is secretly hosting the malware, or a site designed to host the malware, or a legitimate site hosting the malware in an advertisement. The primary attack came through malicious advertisements, including ads delivered by Yahoo's Yieldmanager.com, the report said.

The malware redirects a Web surfer to an exploit kit, either the Eleonore Exploit Toolkit or the Phoenix Exploit Toolkit, that then exploits a vulnerability on the surfer's computer and drops the Trojan on the machine. The Eleonore Exploit Toolkit includes exploits for vulnerabilities in Adobe Reader, Java, and Internet Explorer, among others.

"The initial infection where the exploit kit compromised the victim's machine used a number of vulnerabilities that we list in the paper, one of those was an IE vulnerability that affected IE v6 & v7," Anstis said. "However that was only one of the six or so vulnerabilities that could have been used for this initial infection. The exploit kit tests the victim machine for each one in order to get a successful infection."

The Trojan contacts a command-and-control server located in Eastern Europe to get instructions that sit on the victim's computer, waiting for the opportunity to act.

When the user accesses his or her bank Web site, the Trojan transfers the log-in ID, date of birth, and a security number to the command-and-control server. Once the user accesses the transactional section of the bank Web site, the Trojan receives new JavaScript code from the outside server to replace the original bank JavaScript used for the transaction form.

When the user interacts with the transaction form for legitimate business, the Trojan works behind the scenes to manipulate the transaction. First it checks the account balance and if it is over a certain amount it will determine how much to steal within a limit so as not to trigger automatic fraud detection alarms.

The money is transferred to bank accounts of so-called "money mules," typically innocent people recruited to use their own bank accounts to funnel money through. From there, the money is transferred to accounts in other countries that are controlled by the scammers.

Anstis declined to identify the bank whose customers were targeted. "Interestingly, this company did offer free security software," he said. Either "the owners of the compromised accounts didn't take them up (on the offer) or the software wasn't effective."

This is a screenshot from a fake Web site created to lure money mules to the scam.
This is a screenshot from a fake Web site created to lure money mules to the scam. M86 Security

Updated on August 13, 1:50 p.m. PDT:: This story was corrected by removing misinformation provided by M86 about statistics related to non-Windows machines. Such machines, including Macs, were not affected by this attack.