Zeus botnet targeting Macy's, Nordstrom account holders

Share this article:

A new Zeus botnet is targeting the credit card accounts of several major U.S. retailers, including Macy's and Nordstrom, researchers at online banking security firm Trusteer have warned.

The attack, discovered this week and currently ongoing, uses social engineering to trick users into handing over their retail credit card information and other sensitive data, Amit Klein, CTO of Trusteer, told SCMagazineUS.com on Thursday.

“We used to see Zeus only attacking banks and financial institutions,” Klein said. “What we are seeing now is diversification.”

The attack uses Zeus, the latest and most sophisticated version of the Zeus malware platform to date, he said. Once an infected user has logged into a targeted retailer's card services website, the malware injects a legitimate-looking pop-up that reads: “In order to provide you with extra security, we occasionally need to ask for additional information when you access your account online. Please enter the information below to continue.”

The user is asked to enter their Macy's or Nordstrom credit card number, expiration date, security code, Social Security number, mother's maiden name and date of birth, Klein said. Though other variants of Zeus have frequently used these techniques against financial institutions, this is the first time it has been employed against a retailer's site.

“This is a very effective social engineering attack,” he said. “They wrap it with a security message, which explains why the user is seeing this unusual screen. The user is led to believe this is for his or her own security.”

It is unknown how widespread the attack is, but Zeus botnets generally are made up of tens of thousands to hundreds of thousands of infected machines. 

Meanwhile, banking trojans such as Zeus have been the greatest online banking threat of the year, according to a new survey from multifactor authentication provider PhoneFactor

In the survey of more than 70 financial institutions, 51 percent of respondents said attacks from trojans, such as Zeus or Clampi, are the greatest threat to online banking. Moreover, 69 percent of respondents said they have noticed an increase in such attacks over the past year.

When a user logs into their bank account on a Zeus-infected computer, the malware can do “practically anything,” including wire money out of the account and hide fraudulent transactions by altering the balance that is displayed, Klein said.

Banks have implemented a variety of measures to address Zeus and similar threats, including one-time password methods and security questions, said Sarah Fender, vice president of marketing and product management at PhoneFactor.

However, sophisticated banking trojans can defeat these security measures because the malicious activity generally occurs after a user has been authenticated, she told SCMagazineUS.com on Thursday.

In addition, many merchants and card issuers also are investing in fraud detection technologies to thwart Zeus and other malware, Klein said. But cybercriminals are constantly refining their attack methods, making these security defenses less effective.

“It is a real challenge for banks and other organizations to stay ahead of these threats,” Fender said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.