Malware, Vulnerability Management

Zeus botnet targeting Macy’s, Nordstrom account holders

A new Zeus botnet is targeting the credit card accounts of several major U.S. retailers, including Macy's and Nordstrom, researchers at online banking security firm Trusteer have warned.

The attack, discovered this week and currently ongoing, uses social engineering to trick users into handing over their retail credit card information and other sensitive data, Amit Klein, CTO of Trusteer, told SCMagazineUS.com on Thursday.

“We used to see Zeus only attacking banks and financial institutions,” Klein said. “What we are seeing now is diversification.”

The attack uses Zeus 2.1.0.8, the latest and most sophisticated version of the Zeus malware platform to date, he said. Once an infected user has logged into a targeted retailer's card services website, the malware injects a legitimate-looking pop-up that reads: “In order to provide you with extra security, we occasionally need to ask for additional information when you access your account online. Please enter the information below to continue.”

The user is asked to enter their Macy's or Nordstrom credit card number, expiration date, security code, Social Security number, mother's maiden name and date of birth, Klein said. Though other variants of Zeus have frequently used these techniques against financial institutions, this is the first time it has been employed against a retailer's site.

“This is a very effective social engineering attack,” he said. “They wrap it with a security message, which explains why the user is seeing this unusual screen. The user is led to believe this is for his or her own security.”

It is unknown how widespread the attack is, but Zeus botnets generally are made up of tens of thousands to hundreds of thousands of infected machines. 

Meanwhile, banking trojans such as Zeus have been the greatest online banking threat of the year, according to a new survey from multifactor authentication provider PhoneFactor

In the survey of more than 70 financial institutions, 51 percent of respondents said attacks from trojans, such as Zeus or Clampi, are the greatest threat to online banking. Moreover, 69 percent of respondents said they have noticed an increase in such attacks over the past year.

When a user logs into their bank account on a Zeus-infected computer, the malware can do “practically anything,” including wire money out of the account and hide fraudulent transactions by altering the balance that is displayed, Klein said.

Banks have implemented a variety of measures to address Zeus and similar threats, including one-time password methods and security questions, said Sarah Fender, vice president of marketing and product management at PhoneFactor.

However, sophisticated banking trojans can defeat these security measures because the malicious activity generally occurs after a user has been authenticated, she told SCMagazineUS.com on Thursday.

In addition, many merchants and card issuers also are investing in fraud detection technologies to thwart Zeus and other malware, Klein said. But cybercriminals are constantly refining their attack methods, making these security defenses less effective.

“It is a real challenge for banks and other organizations to stay ahead of these threats,” Fender said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.