Zeus Variant Targeting Online Banking Customers in UK, US
Security firm Trusteer has spotted a “concerning development” in some new Ice IX configurations that target online banking customers in the UK and US.
Ice IX is a modified variant of the ZeuS financial malware platform that captures information on telephone accounts belonging to the victims, allowing attackers to divert calls from the bank intended for their customer to attacker-controlled phone numbers.
“We believe the fraudsters are executing fraudulent transactions using the stolen credentials and redirecting the bank’s post-transaction verification phone calls to professional criminal caller services that approve the transactions,” Trusteer said.
The attackers so designed the malware such that at login the Ice IX steals the victim’s user id and password, information/secret question answer, date of birth and account balance.
Then, Trusteer further found, the victims are made to update their phone numbers of record (home, mobile and work) and select the name of their service provider from a drop-down list including the British Telecommunications, TalkTalk and Sky.
Next, the attacker modifies the victims’ phone service settings by asking them to submit their telephone account number.
Trsuteer said: “This is very private data typically only known to the phone subscriber and the phone company. It is used by the phone company to verify the identity of the subscriber and authorize sensitive account modifications such as call forwarding.
“The fraudsters justify this request by stating this information is required as a part of verification process caused by ‘a malfunction of the bank’s anti-fraud system with its landline phone service provider.’”
The security firm noted that an increasing number of fraudsters have turned to these post-transaction attack methods to hide fraudulent activity from the victim and block email and phone communication from the bank. This may shun security mechanisms that detect anomalies once transactions have already been executed by the user.
However, these security measures have been proven to be weak in the face of Gameover, another Zeus variant that, like Ice IX, can circumvent post transaction fraud prevention measures.
Last month, the Federal Bureau of Investigation released its findings on this attack, which stated that this campaign purports “to be legitimate e-mails from the National Automated Clearing House Association (NACHA), advising the user there was problem with the ACH transaction at their bank and it was not processed.”