Zeus botnet targeting Macy's, Nordstrom account holders

Share this article:

A new Zeus botnet is targeting the credit card accounts of several major U.S. retailers, including Macy's and Nordstrom, researchers at online banking security firm Trusteer have warned.

The attack, discovered this week and currently ongoing, uses social engineering to trick users into handing over their retail credit card information and other sensitive data, Amit Klein, CTO of Trusteer, told SCMagazineUS.com on Thursday.

“We used to see Zeus only attacking banks and financial institutions,” Klein said. “What we are seeing now is diversification.”

The attack uses Zeus 2.1.0.8, the latest and most sophisticated version of the Zeus malware platform to date, he said. Once an infected user has logged into a targeted retailer's card services website, the malware injects a legitimate-looking pop-up that reads: “In order to provide you with extra security, we occasionally need to ask for additional information when you access your account online. Please enter the information below to continue.”

The user is asked to enter their Macy's or Nordstrom credit card number, expiration date, security code, Social Security number, mother's maiden name and date of birth, Klein said. Though other variants of Zeus have frequently used these techniques against financial institutions, this is the first time it has been employed against a retailer's site.

“This is a very effective social engineering attack,” he said. “They wrap it with a security message, which explains why the user is seeing this unusual screen. The user is led to believe this is for his or her own security.”

It is unknown how widespread the attack is, but Zeus botnets generally are made up of tens of thousands to hundreds of thousands of infected machines. 

Meanwhile, banking trojans such as Zeus have been the greatest online banking threat of the year, according to a new survey from multifactor authentication provider PhoneFactor

In the survey of more than 70 financial institutions, 51 percent of respondents said attacks from trojans, such as Zeus or Clampi, are the greatest threat to online banking. Moreover, 69 percent of respondents said they have noticed an increase in such attacks over the past year.

When a user logs into their bank account on a Zeus-infected computer, the malware can do “practically anything,” including wire money out of the account and hide fraudulent transactions by altering the balance that is displayed, Klein said.

Banks have implemented a variety of measures to address Zeus and similar threats, including one-time password methods and security questions, said Sarah Fender, vice president of marketing and product management at PhoneFactor.

However, sophisticated banking trojans can defeat these security measures because the malicious activity generally occurs after a user has been authenticated, she told SCMagazineUS.com on Thursday.

In addition, many merchants and card issuers also are investing in fraud detection technologies to thwart Zeus and other malware, Klein said. But cybercriminals are constantly refining their attack methods, making these security defenses less effective.

“It is a real challenge for banks and other organizations to stay ahead of these threats,” Fender said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Android bug allowing SOP bypass a 'privacy disaster,' researcher warns

Android bug allowing SOP bypass a 'privacy disaster,' ...

Google reportedly addressed the issue, but many users likely await the fix from providers or OEMs.

Congressman asks Issa for hearing on CHS breach

The top Democrat on the House Oversight and Government Reform Committee asked for a hearing to investigate the CHS breach.

Google reveals 150 percent jump in gov't requests for user data

Google indicated in its most recent transparency report that it also saw a 15 percent jump in government requests for user data since the end of last year.