New Zeus malware scam promises rebates, security

Attacks on Gmail, Hotmail, Yahoo unique in targeting MasterCard SecureCode and Verified by Visa's 3D Secure service, Trusteer says

A new Zeus P2P malware variant discovered last week by security vendor Trusteer is attempting to scam users of some of the Internet's most popular and trusted brands -- Facebook, Google Mail, Hotmail and Yahoo -- with promises of rebates and new security measures.

In a blog post, Trusteer CTO Amit Klein ays the scams "exploit the trust relationship between users and these well-known service providers, as well as the Visa and MasterCard brands, to steal users' debit card data."

As usual, the fraudsters try to trick users into providing confidential financial information: debit card number, expiration date, security code, and PIN. On Facebook, a web inject offers a 20-percent cash back offer by linking a Visa or MasterCard debit card to their account.

What is unique about this one, Klein writes, is that "in the attacks against Google Mail, Hotmail and Yahoo users, Zeus offers an allegedly new way of authenticating to the 3D Secure service offered by the Verified by Visa and MasterCard SecureCode programs."

Trusteer's director of product marketing, Oren Kedem, says while web injects are common, this is the first time he has seen a scam try to use 3D Secure. "Many customers are familiar with it," he says, "and it has become so trustworthy that victims could see it as a plausible approach."

In this case, the lure is convenience. Victims are told that if they link their debit card to their web mail accounts, "all future 3D Secure authentication will be performed through Google Checkout and Yahoo Checkout respectively," and, of course, that they will be protected from fraud in the future, by providing their confidential information. The Hotmail attack is similar.

Users are "reassured" that, "Your Debit Card pin is ONLY used for verification purposes. It activates CashBack option. Never disclose your Debit PIN to anyone, including family and friends. Your Debit PIN is confidential and is for your use online."

Kedem says he does not know how many people have fallen for the scam, "but since this is a version of Zeus, which is the No. 1 malware out there and since just about everybody uses one of these services, there is a large number of targets." He says Trusteer has notified the companies of the new variant.

Kedem says the most common way to get infected with the Zeus malware is by "drive-by" download - simply by visiting a website with the malware present. It then takes over the user's browser when one of the targeted sites, like Facebook, is visited. He says users should take the usual precautions with any unsolicited offer they see online that asks for confidential information.

Another way to tell is to check the use of the language. While this scam uses relatively accurate English, there are mistakes. In the line about the Debit PIN, the web inject uses the lower-case "pin" one time, and capitalizes it the other two times. It also says, "It activates CashBack option," leaving out "the" before CashBack.

The Gmail web inject starts with: "We are glad to offer you participate ..." Such mangling of English, even in a minor way, should amount to a red flag.

There is little else to warn potential victims, Klein writes. "These web injects are well crafted both from a visual and content perspective, making it difficult to identify them as a fraud."

Copyright © 2012 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)