Zeus 3 attack steals £675,000 from UK bank

Zeus is back again and has targeted one UK bank, taking £675,000 from user accounts.

Zeus

Hackers have hit a UK bank with a Zeus version 3 Trojan, compromising around 3,000 customer accounts and taking 675,000 between 5 July and 6 August.

They combined the Zeus malware with exploit toolkits to remain undetected by anti-fraud systems, M86 Security Labs has discovered.

Once the victim's system had been infected and they entered their online banking service, Zeus v3 was able to initiate transfers from user accounts to the criminal masterminds.

Money mules were used to support the operation, as legitimate bank account holders were duped into becoming unsuspecting middlemen, helping transfer funds for the cyber criminals.

Talking about how this attack is unique, Bradley Anstis, vice president of technical strategy for M86 Security, noted it focused on only one, as yet anonymous, financial institution.

"Typically these guys are lazy and they'll go after the low hanging fruit," Anstis told IT PRO.

"The attack is still going on. We've been tracking it since about the end of July, but we can see log files back to the beginning of July so we're not exactly sure when the actual attack started."

It is likely more than 675,000 has been stolen by the hackers, Anstis said.

"You certainly don't need to go bursting through the front door of your bank with a pistol in your hand anymore," he added.

"I think banks maybe need to take their controls to a higher level."

The hackers in this case were highly sophisticated. They used a number of techniques to spread the malware, including the publishing of malicious ads on legitimate websites, or simply infecting such sites.

By using the Eleonore Exploit Kit, the cyber criminals were also able to determine what country an infected user was based in and in this case they targeted UK bankers.

As soon as victims logged into their internet banking service, the Trojan sent the login ID, date of birth and a security number back to the command and control (C&C) server, which was located somewhere in Eastern Europe.

Zeus v3 would then be sent JavaScript code to replace the original bank JavaScript, used for the transaction form.

Data placed into the form was then sent to the C&C system rather than the bank and the information was analysed to determine how much money was in the targeted account.

Once the Trojan had been told which money mule was to be used and the illicit transaction was completed, Zeus v3 continued to listen to the bank response and report back to the C&C system.

The development comes hot on the heels of a Zeus version 2 botnet being uncovered, controlling over 100,000 computers.

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

30 Nov 2021
Access brokers are making it easier for ransomware operators to attack businesses
cyber security

Access brokers are making it easier for ransomware operators to attack businesses

1 Dec 2021