Facebook Zeus malware targeting bank accounts

Pierluigi Paganini June 07, 2013

Principal security firms detected a new variant of Facebook Zeus malware that is exploiting the popular social network to target user’s bank accounts.

A Facebook Zeus malware variant (aka ZeuS/ZBOT) has been detected by principal security firms confirming the longevity of malicious code and the ability of cybercrime to customize it according to its needs.
Symantec was one of the first companies to detect the Facebook Zeus virus and its capability to drain user’s bank accounts,  the malicious code exploits phishing messages as a method of propagation. A compromised account  is used to automatically send messages to its contact with links to ads, usually to video or product.
The new Facebook Zeus instance is able to infect only Windows users, there is no news of variant that targeted Linux or Mac OS X systems.
The Facebook Zeus malware appears very complex, it is able to replace a bank’s Web site page with a fake one used to capture social security number data and other information from the victims. Once again cyber criminals don’t use directly the credentials collected but re-sold them on the black market within a Fraud As A Service (FaaS) model.

How does Facebook Zeus steal victim’s credentials?

ZBOT connects to a remote site to download its encrypted configuration file containing the following information:

  • Site where an updated copy of itself can be downloaded
  • List of websites to be monitored
  • Site where it will send the stolen data

Facebook Zeus communication CeC server

“These configuration files contain banks and other financial institutions that ZBOTs monitor in browsers. Since configuration files are downloaded from remote sites, the contents of these files may change any time. Malicious actors can change the list of sites they want to monitor on the affected system.” reported TrendMicro post.

 Facebook Zeus statistics

According to Trend Micro the pages are being hosted by the Russian criminal gang known as the Russian Business Network. Despite Facebook is aware of the diffusion of the Facebook Zeus malware since now it appears to have not taken clomourous countermeasures.  Eric Feinberg, founder of the advocacy group Fans Against Kounterfeit Enterprise (FAKE) declared that has tried to warn Facebook on the diffusion of the cyber threat. I contacted Mr Feinberg requesting major info on the event and he told me:

“Best way to describe how we uncover the Zeus Malware is as follows. I observed that the Russian Business Network was created Fake Facebook Profiles that were posted .tk links to websites selling counterfeit Merchandise. The .tk links caught my attention when i did url query of these .tk links url query report listed these as likely hostile and from the Russian Business Network. I turn the links over to a colleague who identified the Zeus Botnet”

The majority of the victims of Facebook Zeus malware is located in the USA and UK, other cases are registered all over the world including India, Russia and South Africa.
The resurrection of Facebook Zeus variant is not surprising, cybercriminal underground Also never stops to make a profit on old cyber threats and the Prolific business is daily growing in the underground.
Pierluigi Paganini
(Security Affairs – Zeus, cybercrime, Facebook)

you might also like

leave a comment