Advanced Zeus Trojan Hits Polish ING Customers

A version of the Zeus malware that intercepts one-time passcodes sent by SMS (Short Message Service) is targeting customers of the financial institution ING in Poland.

IDG News Service — A version of the Zeus malware that intercepts one-time passcodes sent by SMS (Short Message Service) is targeting customers of the financial institution ING in Poland.
The security vendor F-Secure blogged on Monday about the issue, which was analyzed on the website of security consultant Piotr Konieczny.
F-Secure wrote that it appears to be the same style of attack found by the Spanish security company S21sec last September, which marked a disconcerting evolution in Zeus, one of the most advanced banking Trojans designed to steal passwords.
Zeus has changed its tactics, since some banks are now using one-time passcodes sent by SMS to authorize transactions performed on a desktop machine. First, attackers infect a person's desktop or laptop. Then, when that person logs into a financial institution such as ING, it injects HTML fields into the legitimate Web page.
Those fields ask for a person's mobile phone number and the model of their phone. When that information is entered, the attacker sends an SMS leading to a website that will install a mobile application that intercepts SMSes and forwards messages to another number controlled by the attackers. The Zeus mobile component will work on some Symbian and Blackberry devices.
Once that setup is complete, the attacker can simply do a transfer whenever it is convenient, such as when an account has just received a deposit. An attacker can log onto the account, receive the SMS code and begin transferring money.
ING officials contacted in the Netherlands on Monday afternoon did not have an immediate comment.
The SMS ability of Zeus has prompted vendors such as Cloudmark to warn about how SMS spam -- or SMS messages designed to enable other malware -- are a growing threat. Cloudmark sells a system to operators that analyzes SMS messages and can filter ones that have spam or other offensive content.
Copyright 2010 IDG News Service, International Data Group Inc. All rights reserved.

Online banking hit by thieves

A new Trojan dubbed "OddJob" is stealing people's money by taking over their online banking sessions after they think they've logged off.
The Trojan, which targets Windows-based computers, is being used by criminals in Eastern Europe to steal money from accounts in the United States, Poland, and Denmark, Amit Klein, chief technology officer of Trusteer, writes in a blog post today.
Klein said in an e-mail that he could not identify the banks being targeted or provide an estimate on the number of victims.
"It is early days for this malware," he said. "It appears to be a work in progress, so we expect the code to become more sophisticated over time."
The Trojan intercepts communications that customers have with banking sites via Internet Explorer or Firefox, stealing or interjecting information and terminating user browser sessions when done, Trusteer said.
When a bank customer is on the bank site, the Trojan takes advantage of the session IT token to impersonate the customer, riding the coattails of the existing authenticated session. It then bypasses the logout request of the customer so that the session is not actually terminated when the customer thinks he or she is logging out.
To avoid triggering security software, the malware's configuration is not saved to disk, but a fresh copy is fetched from the command and control server each time a new browser session is opened.
Web surfers can protect themselves by installing software security updates, refraining from clicking on URLs in e-mail messages, and using software that secures Web access, like Trusteer's Rapport product, the company said.

Beware enticing Bieber links, free offers on Facebook

A clickjacking attack on Facebook lures victims in with purported video and then surreptitiously "likes" the post, spreading it further.

Old scams hiding under new headlines were circulating on Facebook this week, including promises of video involving obsessed Justin Bieber fans.

"I can't believe a GIRL did this because of Justin Bieber," says the post that has been appearing on Facebook walls and status updates.

Clicking the link leads to a fake YouTube-looking page that says "Please Watch this video only if you are 16 years or older," according to an M86 blog post. Hidden behind the video window is an iframe linked to Facebook so that clicking anywhere in the window will submit a "like" click to the page and spread the post on the victim's Facebook page. This is a standard clickjacking attack that is taking advantage of a current hot topic--the teen singer.

The scam doesn't stop there. A fake Facebook dialog box also pops up that asks the victim to verify his or her age by completing a survey with links to sites relating to auto insurance, according to M86.

Facebook was able to stop this scam fairly quickly, but not before it had garnered more than 20,000 likes. Other variants of the scam were spreading, M86 said.

Separately, scammers had rehashed some scams involving offers of free iPads, free Southwest Airlines tickets, and a Miley Cyrus-related video link via posts on the site and e-mail messages. It's unclear exactly how those scams worked and if they involved clickjacking.

Clickjacking prompts a victim to click something while a different action is taken behind the scenes. It takes advantage of a vulnerability in a Web browser and is not specific to Facebook.

If you see a potential or obvious scam on Facebook report it to the person whose account is spreading it, M86 said. The NoScript Firefox plug-in protects against clickjacking attacks such as this, it added.

Because clickjacking exploits a browser weakness, Facebook can't technically prevent it completely, a Facebook spokesman said. "We continue to build additional protections to mitigate its impact," he said in an e-mail. "We're also involved in discussions with others in the industry on how to fix the underlying issue on the browser side."

Facebook users should be suspicious of anything that looks or feels strange, even if it has been posted by a friend. Facebook offers tips for how to recognize and avoid clickjacking on the "Threats" tab of the Facebook Security Page here.

The company also has developed automated systems to detect and flag Facebook accounts that are likely to be compromised based on suspicious activity like lots of messages sent in a short period of time or messages with links that are known to be bad. Once Facebook detects a phony post it is deleted across the site. The company blocks malicious links from being shared and works with third parties to get phishing and malware sites added to browser blacklists or taken down. And Facebook displays warnings when people click on a link that has been identified as malicious from an e-mail notification.

Here are some basic safety tips for using Facebook or any site on the Web:

• Use an up-to-date browser that features an antiphishing blacklist.

• Choose unique log-ins and passwords for each of the Web sites you use.

• Check to see that you're logging in from a legitimate Facebook page with the facebook.com domain.

• Be cautious of any message, post or link you find on Facebook that looks suspicious or requires an additional log-in.