As posted in Credit Union Times November 3, 2010 

Avalanche Gang Now Focuses on Zeus Trojan

The world’s most active phishing gang is no longer phishing as much, researchers said, but that’s not necessarily good news.

The Avalanche gang instead has moved from using conventional e-mail spam to trick users into entering their PINs and passwords at spoof sites and instead is relying more on infecting computers with the Zeus Trojan credential-stealing malware.

That’s according to a new report from the Anti-Phishing Working Group, which said its research found that the Avalanche botnet infrastructure went from accounting for two-thirds of all observed phishing attacks in late 2009 to only four this past July.

Instead, the crime syndicate now concentrates on sending billions of faked messages purporting to be from the IRS, social networks and other sites. The Zeus Trojan is then downloaded and begins capturing identifying information if the recipient visits the links in the fake e-mails.

"While the cessation of phishing operations by the Avalanche phishing group is great news for the antiphishing community, their shift to the nearly exclusive distribution of Zeus malware is an ominous development in the e-crime landscape," said study co-author Rod Rasmussen of Internet Identity in Tacoma, Wash.

"Their spamming and other activities to target victims continues at high levels, implying they are finding malware distribution a more effective and profitable tactic than traditional phishing," he said.

The APWG report noted, however, that traditional phishing attacks continue as well, as multiple tools are used by cyber fraudsters to steal online.  The APWG is a global coalition of more than 1,800 industry, law enforcement and other government and nongovernmental organizations formed in 2003 to fight identity theft and fraud resulting from phishing, e-mail spoofing and crimeware. The world’s most active phishing gang is no longer phishing as much, researchers said, but that’s not necessarily good news. The Avalanche gang instead has moved from using conventional e-mail spam to trick users into entering their PINs and passwords at spoof sites and instead is relying more on infecting computers with the Zeus Trojan credential-stealing malware.

That’s according to a new report from the Anti-Phishing Working Group, which said its research found that the Avalanche botnet infrastructure went from accounting for two-thirds of all observed phishing attacks in late 2009 to only four this past July.

Instead, the crime syndicate now concentrates on sending billions of faked messages purporting to be from the IRS, social networks and other sites. The Zeus Trojan is then downloaded and begins capturing identifying information if the recipient visits the links in the fake e-mails.

"While the cessation of phishing operations by the Avalanche phishing group is great news for the antiphishing community, their shift to the nearly exclusive distribution of Zeus malware is an ominous development in the e-crime landscape," said study co-author Rod Rasmussen of Internet Identity in Tacoma, Wash.  "Their spamming and other activities to target victims continues at high levels, implying they are finding malware distribution a more effective and profitable tactic than traditional phishing," he said.

The APWG report noted, however, that traditional phishing attacks continue as well, as multiple tools are used by cyber fraudsters to steal online.

The APWG is a global coalition of more than 1,800 industry, law enforcement and other government and nongovernmental organizations formed in 2003 to fight identity theft and fraud resulting from phishing, e-mail spoofing and crimeware.

As posted by CNET News August 10, 2010

Zeus Trojan steals $1 million from U.K. bank accounts

Consumers and businesses in Great Britain have lost more than $1 million so far this summer from a Trojan that is infecting their computers, prompting them to log into their bank accounts, and then is surreptitiously transferring money to scammers in other countries, security researchers said on Tuesday.

About 3,000 bank accounts were found to be compromised at one financial institution, which was not identified, according to a white paper released by M86 Security.

The multilevel scheme uses a combination of a new version of the Zeus keylogger and password stealer Trojan, which targets Windows-based computers and runs on major browsers, and exploit toolkits to get around anti-fraud systems used at bank Web sites, the report found.

Bank sites that offer two-factor authentication, such as one-time passcodes and ID tokens, are ineffective because the malware has taken over the browser after the victim has logged into the banking site, Bradley Anstis, vice president of technology strategy at M86 Security, told CNET.

"This latest iteration of Zeus is dedicated to online banking," and is bringing malware to a new level of technical sophistication, Anstis said. The Trojan uses encrypted communications between the infected computers and the command-and-control servers and performs illegal online banking transactions," he said. M86 Security is working with law enforcement.

It appears to works similarly to the URLZone bank Trojan reported by Finjan a year ago that targeted German bank customers.

Here's how the latest online scam works.

A computer user is compromised by either visiting a legitimate Web site that is secretly hosting the malware, or a site designed to host the malware, or a legitimate site hosting the malware in an advertisement. The primary attack came through malicious advertisements, including ads delivered by Yahoo's Yieldmanager.com, the report said.

The malware redirects a Web surfer to an exploit kit, either the Eleonore Exploit Toolkit or the Phoenix Exploit Toolkit, that then exploits a vulnerability on the surfer's computer and drops the Trojan on the machine. The Eleonore Exploit Toolkit includes exploits for vulnerabilities in Adobe Reader, Java, and Internet Explorer, among others.

"The initial infection where the exploit kit compromised the victim's machine used a number of vulnerabilities that we list in the paper, one of those was an IE vulnerability that affected IE v6 & v7," Anstis said. "However that was only one of the six or so vulnerabilities that could have been used for this initial infection. The exploit kit tests the victim machine for each one in order to get a successful infection."

While more than 280,000 compromised computers were running some variant of Windows, there were about 3,000 Macs running the exploit kit that were part of the botnet, along with about 300 PlayStations and seven machines running Nintendo Wii, the report found.

The Trojan contacts a command-and-control server located in Eastern Europe to get instructions that sit on the victim's computer, waiting for the opportunity to act.

When the user accesses his or her bank Web site, the Trojan transfers the log-in ID, date of birth, and a security number to the command-and-control server. Once the user accesses the transactional section of the bank Web site, the Trojan receives new JavaScript code from the outside server to replace the original bank JavaScript used for the transaction form.

When the user interacts with the transaction form for legitimate business, the Trojan works behind the scenes to manipulate the transaction. First it checks the account balance and if it is over a certain amount it will determine how much to steal within a limit so as not to trigger automatic fraud detection alarms.

The money is transferred to bank accounts of so-called "money mules," typically innocent people recruited to use their own bank accounts to funnel money through. From there, the money is transferred to accounts in other countries that are controlled by the scammers.

Anstis declined to identify the bank whose customers were targeted. "Interestingly, this company did offer free security software," he said. Either "the owners of the compromised accounts didn't take them up (on the offer) or the software wasn't effective."