Zeus Trojan Steals Bank Account Info via Facebook
A nasty Trojan virus nicknamed Zeus has been spreading quickly through social media forums like Facebook and via links to fake webpages. Once a system is compromised, the virus lays in wait until the user accesses a banking account or credit card website wherein it captures login and personal data. That information is then transferred to servers controlled by cybercriminals who sell the data or drain the victim’s bank account.
Zeus began circulating the net about six years ago, but has seen resurgence in recent months according to Internet security firm Trend Micro. The New York Times’s Nicole Perlroth (http://bits.blogs.nytimes.com/2013/06/03/malware-that-drains-your-bank-account-thriving-on-facebook/) reports that millions of computers are already infected, most of which are in the United States.
Much of this malware’s recent rapid disbursement is via links posted on Facebook. Culprits set up fake profiles and post links on popular fan pages or hack user accounts to spam links to “Friends.” In many cases, links take the user to a website where they’re prompted to purchase knock-off designer goods. After entering credit card info to complete the purchase, the victim’s credit card number (along with name and address) is sold or used to place fraudulent charges. In other cases, the website link takes the user to an infected page that installs malicious code when accessed by the unsuspecting victim.
The virus is also spread from compromised email accounts: the Trojan accesses an infected user’s contact list and then sends emails with links to malware-infected pages. The sender address is spoofed to appear as though the email was sent by the infected account, so anyone in the infected user’s contact list receives a message that appears to have come from a known source. If you ever receive a suspicious-looking email with a link or attachment, even if you recognize the sender, do not click the link. Instead, contact the sender to confirm that the email was truly sent by them.
Once infected, the Trojan virus runs silently in the background, harvesting users’ private data. In some cases, compromised systems redirect victims to dummy websites made to appear like the user’s bank or credit card account login page so that more valuable personal information (such as social security number, date of birth, address, etc) can be collected.
Many of the fraudulent links used to spread Zeus via Facebook in recent months have ended in .tk (where you’d typically see .com or .org). This domain indicates that the website is hosted via Tokelau, a small territory part of New Zealand which is, according to Jerome Segura of the anti-malware software company Malwabytes, “a hotbed for all sorts of online fraud.” As infected webpages are identified and blocked by browsers and/or antivirus software, cybercriminals simply set up a new web address, so there’s no easy way to eradicate Zeus and its variants from the net.
While Facebook has partnered with web security specialists WebSense and Web Of Trust (WOT) to identify, flag and alert users of potentially fraudulent links, it’s ultimately up to the user to exercise caution when clicking links on Facebook, in emails, or anywhere on the net. Keep in mind that links to Zeus-infected pages are cropping up all over the Web, from comments on articles or blogs to sponsored ads, so users must remain diligent about avoiding weblinks from anywhere but a completely trusted source.
In a blog posted to Trend Micro’s “TrendLabs” (http://blog.trendmicro.com/trendlabs-security-intelligence/zeuszbot-malware-shapes-up-in-2013/), Jay Yaneza recommends that you bookmark trusted websites so that you don’t inadvertently mis-type an address and end up re-directed to an imposter site. He cautions that users should avoid visiting unknown websites and keep their system’s anti-malware software up to date to reduce the risk of exposure.