More Arrests But Zeus Trojan Rules In Online Bank Fraud

The arrests keep coming in connection with the cyber-crime ring that used the Zeus Trojan to steal millions from bank accounts. But the publicity is adding value to the exploit kit

Ukraine police arrested five individuals accused of being part of a cyber-crime ring that used the Zeus Trojan to steal $70 million from US banks and £6 million from UK accounts. The arrests targeted people the FBI described as “key suspects responsible for this overarching scheme.”

Authorities in the United States and the United Kingdom have been taking action as part of “Operation Trident Breach” which began in May 2009, when FBI agents in Omaha, Nebraska, were alerted to Automated Clearing House (ACH) batch payments to 46 separate bank accounts throughout the United States.

Agents quickly realised the scope of the crime and partnered with local, state, and federal partners, cybercrime task forces, working groups, and foreign police agencies in the Netherlands, Ukraine, and the United Kingdom to bring those responsible to justice.”

According to security researchers, the price of the Zeus Trojan can range from a few thousand to possibly as high as $10,000. Additional features and services such as Windows 7 support or “Firefox form grabber” can be purchased for $2,000, Ivan Macalintal, senior threats researcher at Trend Micro, told eWEEK.

“It is the most popular Trojan tool kit going today,” said Dave Marcus, director of security research and communications at McAfee Labs. “It’s also the highest priced and most effective.”

In the years since it was first seen in the wild, Zeus has been linked to numerous criminal operations and botnets. Trusteer, for example, earlier in 2010 found a 100,000-strong Zeus botnet that was tied to the theft of a wide range of user data, including credit card numbers and browser cookies.

The malware is spread by a variety of means, including drive-by downloads and spam attacks. The constant development of variants allows Zeus to evade antivirus software, researchers said.

“The tool kit is very well developed and of professional grade,” Marcus noted. “It’s probably the most popular, because it’s hands-down the most effective. Cyber-criminals love it because it’s a money-maker.”

However, Marc Fossi, manager of research and development for Symantec Security Response, said Zeus is not as broadly advertised as it once was because of the attention it attracts.

“In fact, one Website we recently observed had a rule banning sales and downloads of Zeus through their forum because of the attention it was drawing to them,” Fossi said.

Recently, Zeus operators made an attempt to trick users of mobile devices into giving up their mobile phone numbers so they could infect those devices with an SMS (Short Message Service) monitoring program that can be used to steal transaction authentication numbers sent to users by banks to authenticate online banking transactions.

“The banking industry needs to be doing more,” said Alex Cox, principal analyst for NetWitness. “In the past, online fraud losses were looked at as a cost of doing business, as long as they didn’t exceed whatever the expected loss percentage was. And US-based banks have historically lagged behind European banks as far as online banking safeguards go, too.”

“The popularity and power of Zeus is that it offers a very low barrier to entry, with a high possibility of return,” Cox said. “As such, the use of Zeus is prolific to the point that we see it in the vast majority of organisations who call us in to assess them – either via infected hosts inside the corporate network, or being used to commit fraud via the business online portals. Infection mechanisms in [the recent arrests] were likely a combination of exploits, phishing and second-stage malware payload. This works so there is no need to change it or do anything different.”