The attack, which began last week, affects a subset of Zeus installations, Amit Klein, CTO of Trusteer and head of the company's research group, told SCMagazineUS.com on Wednesday.
After an infected user logs in to one of the approximately 15 affected online banking sites, the trojan injects into the browser a phishing screen that contains logos for “Verified by Visa” and “MasterCard SecureCode,” both of which are credit card security programs that allow users to confirm their identity with an extra password when making an online transaction.
This phishing page states that “Due to recent changes in FDIC Deposit Insurance Rules, all our customers must be enrolled in the Verified by Visa or MasterCard SecureCode program depending on type of your check card.”
The spoofed screen (left) asks users to input their Social Security number, card number, expiration date, security code on the back of the card, PIN, and to choose a password. The screen also notes that users who already are enrolled in either security program should enter their current password.
“This attack uses the familiar Visa and MasterCard online fraud prevention programs to make the request appear legitimate,” Klein said.
Additionally, the phishing page allows the attackers to obtain all the necessary information to carry out credit card fraud and even make online transactions with retailers that participate in the Verified by Visa or MasterCard SecureCode programs, Klein said.
Visa and MasterCard representatives could not be reached for comment.
Zeus is a piece of professionally written malware that constantly is morphing and is not simple to remove, Klein told SCMagazineUS.com. Those behind the trojan have a sophisticated business model, allowing other cybercriminals to license the rights to use the malware. As a result, there are many different gangs running their own licensed versions of Zeus and distributing them independently.
The latest attack is a configuration for a specific Zeus botnet, meaning not all Zeus-infected computers will display this new in-session phishing attack.
“If this is being used by a single botnet, we are talking about tens to hundreds of thousands of PCs or more [susceptible to this attack],” Klein said.