Two weeks ago, both UK and US authorities arrested dozens of members of an internet piracy gang for involvement in an online scam aimed at stealing banking passwords (CNET).
The scam involved spreading the Zeus Trojan bot or “Zbot”.
This week, other piracy gangs seem to have stepped in with a modified and improved version of the Zeus bot aimed primarily at hijacking Charles Schwab investment accounts. This new bot is primarily spread by fake Linkedin reminders including disguised links to malicious sites. Once the user clicks on the link, the malicious site will attempt a large number of exploits looking for one that works. Once the workstation is infected, a number of exploits are downloaded to the workstation which silently listen in for usernames and passwords to a number of banking sites. These exploits run silently so it’s almost impossible to tell that your PC has been infected.
More concerning is that a new study concludes that most antivirus software will not be able to detect the new Zeus Trojan. It avoids heuristic detection techniques used by anti-virus proactive defense mechanisms to predict which segments of code will trigger alarms and carefully avoids them:
It also launches a confirmation window while you are visiting the legitimate Schwab site, asking for additional info such as your mother’s maiden name, which hackers can later use to verify that they are a legitimate account holder.
We have not had an opportunity to decide whether or not Kaspersky (which most of our clients use) will be able to detect or prevent this exploit, therefore, as a precautionary measure, we suggest the following steps:
- Apply Microsoft patches diligently;
- Most of our clients user Kaspersky with auto-update enabled by default; however if your anti-virus is expired or if the virus definitions are out of date, update it immediately;
- Do not open emails with subject of “LinkedIn Reminder” or “XYZ wants to connect on LinkedIn” or similar titles;
- If you see a pop-up window asking for additional info, such as mother’s maiden name, drivers license number or employer while visiting the legitimate Schwab website or any other banking website, DO NOT fill it out. Call their support immediately.