Zeus attack nets £675,000 from UK bank customers

Customers lost up to £3,000 each to criminals who used a variant of the Zeus data-stealing Trojan to infect Windows systems, Macs and even Wii consoles, according to M86
Written by Tom Espiner, Contributor

Hackers have siphoned more than half-a-million pounds from UK bank accounts since July using a variant of the Zeus banking Trojan, according to security company M86.

M86 discovered the theft after gaining access to a command-and-control server in Moldova, the company said in a paper published on Tuesday (PDF). Between 5 July and 4 August, hackers stole £675,000 from the customers of one of the biggest UK financial institutions, according to M86.

Mark Kaplan, M86's chief security architect, told ZDNet UK on Wednesday that just under 37,000 British computers had been infected by the Trojan as part of the attack, with around 3,000 bank accounts compromised.

"We started analysing this attack at the beginning of July," Kaplan said in an email interview."The bank and law enforcement agencies were informed immediately. The matter is now being handled by the bank."

The Zeus Trojan, which is also known as Zbot, steals data from a compromised machine by logging keystrokes. People who click on an infected email or compromised website could end up by exposing their online banking credentials. In addition, the latest versions of the Trojan use a man-in-the-browser technique which intercepts data before it can be encrypted.

In July, security company Trusteer warned that botnets based on the Trojan were targeting British online banking customers and said that the detection rates for the malware by antivirus software were low, between zero and 20 percent.

In the case uncovered by M86, computers became infected via drive-by downloads — the malicious equivalent of a cookie — from advertising sites, according to Kaplan. They were initially infected by a dropper program from either the Eleonore or Phoenix exploit kits, which then downloaded a Zeus version 3 variant.

The Trojan sat in a browser, and when the victim visited their bank account, the Trojan intercepted the communication and substituted a transfer order to a different bank account belonging to one of a series of unwitting go-betweens known as 'money mules'. These mules then transferred the money into bank accounts controlled by the criminals.

Kaplan said that the amount of money stolen from each UK bank account ranged between £1,000 and £3,000, with the criminals targeting victims that had at least £800 in the account.

More than 280,000 UK systems running Windows were infected with the dropper, and about 12 percent of these were then infected by the Trojan. The exploit kit also hit non-Microsoft systems, affecting more than 3,800 Macs, 300 PlayStations and three Wii consoles.

The Police Central eCrime Unit has been notified, as have the relevant authorities in Eastern Europe, according to M86. Kaplan declined to say which bank had been compromised or whether the bank was taking protective measures.

"We are not allowed to disclose the name of the bank," said Kaplan. "It's an ongoing investigation."

Editorial standards