• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

China Presses Nvidia Over Alleged Backdoors in H20 Chips Amid Tech Tensions

 | 

Malicious AI-generated npm package hits Solana users

 | 

Meta Offers $1M bounty at Pwn2Own Ireland 2025 for WhatsApp exploits

 | 

ToolShell under siege: Check Point analyzes Chinese APT Storm-2603

 | 

CISA released Thorium platform to support malware and forensic analysis

 | 

Russia-linked APT Secret Blizzard targets foreign embassies in Moscow with ApolloShadow malware

 | 

Dahua Camera flaws allow remote hacking. Update firmware now

 | 

Researchers released a decryptor for the FunkSec ransomware

 | 

Apple fixed a zero-day exploited in attacks against Google Chrome users

 | 

PyPI maintainers alert users to email verification phishing attack

 | 

FBI seizes 20 BTC from Chaos Ransomware affiliate targeting Texas firms

 | 

Critical SAP flaw exploited to launch Auto-Color Malware attack on U.S. company

 | 

Orange reports major cyberattack, warns of service disruptions

 | 

Hackers leak images and comments from women dating safety app Tea

 | 

Pro-Ukraine hacktivists claim cyberattack on Russian Airline Aeroflot that caused the cancellation of +100 flights

 | 

Seychelles Commercial Bank Reported Cybersecurity Incident

 | 

Microsoft uncovers macOS flaw allowing bypass TCC protections and exposing sensitive data

 | 

U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog

 | 

Critical WordPress Post SMTP plugin flaw exposes 200K+ sites to full takeover

 | 

Scattered Spider targets VMware ESXi in using social engineering

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Cyber Crime
  • Malware
  • Security
  • Zeus P2P variant against Facebook,Hotmail,Yahoo & Google Mail

Zeus P2P variant against Facebook,Hotmail,Yahoo & Google Mail

Pierluigi Paganini May 17, 2012

The experts of Trusteer firm have discovered a new variant Zeus malware responsible of  a series of attacks against principal internet service providers. The variant carried out attacks using the P2P network architecture targeting users of Facebook, Hotmail and Yahoo and  Google Mail.

What is Zeus?

The Zeus Trojan is one of most notourios malware that we have found in several cases, we can consider it as one of the better products of the malware industry. The malware is really appreciated by cyber criminals that have improved its feature over the months. Zeus Trojan is born as an agent able to steal banking information by logging keystrokes and form grabbing, it is spread mainly through phishing and drive-by downloads schemes.

With an eye on the malware distribution model and support services, commonly referred to as “software-as-a-service”, I point out the ZeuS offshoot, Citadel, to true web store advertised on several members-only forums that proposed malicious hackers developments .

Recently I reported the news on the commercial distrubution of the famous Zeus Trojan, a malware designed as an open project that can be customized with new features to meet customer demands. Consider that the several Zeus botnets are estimated to include millions of compromised computers (around 3.6 million in the United States). As of October 28, 2009 over 1.5 million phishing messages sent on Facebook Were with the purpose of spreading the Zeus’ Trojan . Regarding ZeuS diffusion I suggest the consultation of the web site https://zeustracker.abuse.ch/ that provides updated statistics on the localizzation of the Command&Control servers of the botnet based on the agent. Between the huge quantity of statistics presents I have found a couple of issue that I consider really indicative the Average Antivirus detection rate (last 60 days) and the list of the Top C&C servers.

The  schema of the new scam

The principle used to trick unsuspecting users is simple, the cyber criminals behind the malware with the intent to steal user’s debit card data, have offered discounted product through the famous platform. The malware relies on the psychological conditioning of the user that seeing attractive discounts offered on the famous platforms is pushed to believe them as genuine.

The scams exploit the trust relationship between users and these well-known service providers, as well as the Visa and MasterCard brands, to steal users’ debit card data. Let’s in details the features of the principal attacks observed.

The malware variant that hit Facebook uses a web injection mechanism to propose to the  victim a special price reduced of 20% for purchases made with Visa or MasterCard debit card using their Facebook account. The scam promises in fact that after registering debit card information, the victim will earn cash back when they purchase Facebook points.

Of course to the user is proposed a form for the registration of debit card info that is equivalent to a legitimate one also in term of proposed layout.

A transaction using Verified by Visa/SecureCode will initiate a redirect to the website of the card issuing bank to authorize the transaction. Each issuer could use any kind of authentication method (the protocol does not cover this) but typically, a password-based method is used, so to effectively buy on the Internet means using a password tied to the card.

Different schema has been implemented in the attacks against Hotmail, Google Mail and Yahoo users, in this cases Zeus variant offers an new way of authenticating to the 3D Secure service offered by the Verified by Visa and MasterCard SecureCode programs.

3-D Secure is an XML-based protocol designed to be an added layer of security for online credit and debit card transactions. It was developed by Visa with the intention of improving the security of Internet payments and offered to customers as the Verified by Visa service. Services based on the protocol have also been adopted by MasterCard, under the name MasterCard SecureCode.

The basic concept of the protocol is to tie the financial authorization process with an online authentication. This authentication is based on a three domain model (hence the 3-D in the name). The three domains are:

  1. Acquirer Domain (the merchant and the bank to which money is being paid).
  2. Issuer Domain (the bank which issued the card being used).
  3. Interoperability Domain (the infrastructure provided by the card scheme, credit, debit, prepaid or other type of finance card, to support the 3-D Secure protocol).

The protocol uses XML messages sent over SSL connections with client authentication (this ensures the authenticity of both peers, the server and the client, using digital certificates).

The malware operates in the phase of the online transaction used by merchants to require cardholders to authenticate using their personal 3D Secure password.

In the scam that circumvents Google Mail and Yahoo users claims, the customer is convinced that linking his 3D code to the mail account making it available for future purchases. The malware propose a sort of single sign on schema, convincing the user that simply registering its data on the mail platform he wil be able to perform purchases logging to its email account using the protected services Google Checkout and Yahoo Checkout.

The advantage proposed to the user is of course a secure channel for his online transactions. Also in this case is proposed to the user a fake page to collect the victim’s debit card information reporting the logos of Visa and MasterCard circuits.

A similar schema has been adopted also against Hotmail offering a free new security service.

A multi purpose malware

Zeus is undoubtedly one of history’s longest-running malware used for different purposes, just remember that the dangerous malware was used to strike the hacktivists of Anonymous. On that occasion, a modified variant of the tools used in the attacks infected with Zeus malware, in this case the tool Slowloris, was spread using the standard channels as Pastbin. The hackers have copied and pasted an original entry Pastebin Anonymous Replacing the download link with an infected version. In this way the agent was extremely rapid diffusion.

The example is purely demonstrative, we don’t know who is behind the hack, but what really worried about is the extensive use of malware by cybercrime an governments for operations of cyberespionage.
The approach pursued for these agents is evolutionary and permanently eradicate a threat that evolves over time in unexpected ways in the future will require an increasing effort.

Pierluigi Paganini

 


facebook linkedin twitter

Anonymous Citadel code injection Cybercrime Cyberespionage Facebook fraud Google Google Mail Hotmail malware MASTERCARD P2P phishing scam VISA Yahoo Zeus

you might also like

Pierluigi Paganini August 01, 2025
Malicious AI-generated npm package hits Solana users
Read more
Pierluigi Paganini August 01, 2025
Meta Offers $1M bounty at Pwn2Own Ireland 2025 for WhatsApp exploits
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    China Presses Nvidia Over Alleged Backdoors in H20 Chips Amid Tech Tensions

    Intelligence / August 02, 2025

    Malicious AI-generated npm package hits Solana users

    Malware / August 01, 2025

    Meta Offers $1M bounty at Pwn2Own Ireland 2025 for WhatsApp exploits

    Hacking / August 01, 2025

    ToolShell under siege: Check Point analyzes Chinese APT Storm-2603

    APT / August 01, 2025

    CISA released Thorium platform to support malware and forensic analysis

    Cyber Crime / August 01, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT