Zeus attack nets £675,000 from UK bank customers

Zeus attack nets £675,000 from UK bank customers

Summary: Customers lost up to £3,000 each to criminals who used a variant of the Zeus data-stealing Trojan to infect Windows systems, Macs and even Wii consoles, according to M86

TOPICS: Security

Hackers have siphoned more than half-a-million pounds from UK bank accounts since July using a variant of the Zeus banking Trojan, according to security company M86.

M86 discovered the theft after gaining access to a command-and-control server in Moldova, the company said in a paper published on Tuesday (PDF). Between 5 July and 4 August, hackers stole £675,000 from the customers of one of the biggest UK financial institutions, according to M86.

Mark Kaplan, M86's chief security architect, told ZDNet UK on Wednesday that just under 37,000 British computers had been infected by the Trojan as part of the attack, with around 3,000 bank accounts compromised.

"We started analysing this attack at the beginning of July," Kaplan said in an email interview."The bank and law enforcement agencies were informed immediately. The matter is now being handled by the bank."

The Zeus Trojan, which is also known as Zbot, steals data from a compromised machine by logging keystrokes. People who click on an infected email or compromised website could end up by exposing their online banking credentials. In addition, the latest versions of the Trojan use a man-in-the-browser technique which intercepts data before it can be encrypted.

In July, security company Trusteer warned that botnets based on the Trojan were targeting British online banking customers and said that the detection rates for the malware by antivirus software were low, between zero and 20 percent.

In the case uncovered by M86, computers became infected via drive-by downloads — the malicious equivalent of a cookie — from advertising sites, according to Kaplan. They were initially infected by a dropper program from either the Eleonore or Phoenix exploit kits, which then downloaded a Zeus version 3 variant.

The Trojan sat in a browser, and when the victim visited their bank account, the Trojan intercepted the communication and substituted a transfer order to a different bank account belonging to one of a series of unwitting go-betweens known as 'money mules'. These mules then transferred the money into bank accounts controlled by the criminals.

Kaplan said that the amount of money stolen from each UK bank account ranged between £1,000 and £3,000, with the criminals targeting victims that had at least £800 in the account.

More than 280,000 UK systems running Windows were infected with the dropper, and about 12 percent of these were then infected by the Trojan. The exploit kit also hit non-Microsoft systems, affecting more than 3,800 Macs, 300 PlayStations and three Wii consoles.

The Police Central eCrime Unit has been notified, as have the relevant authorities in Eastern Europe, according to M86. Kaplan declined to say which bank had been compromised or whether the bank was taking protective measures.

"We are not allowed to disclose the name of the bank," said Kaplan. "It's an ongoing investigation."

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • The announcement of the return of Zeus is not only a demonstration of its power, but also highlights the importance of vigilance and protection against such attacks for businesses. Information confidentiality is paramount to businesses not only keeping their customers, but also maintaining a competitive advantage within their industry. Viruses such as Zeus are clearly a threat to these assets, so as such precautionary methods should be investigated. As an IT management services company, we would advise the use of a protection tool such as SentryBay which masks the key strokes and form being entered into, thus making it impossible for keyloggers etc from viewing the data being entered by customers.
  • It was interesting that security experts suggested that online banking users also use SMS or emails alerts from their bank to keep an eye on their balance and transactions. Unfortunately, not all of the banks offer this service, although I bet demand for this service will start to increase.