• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Spain awarded €12.3 million in contracts to Huawei

 | 

Patch immediately: CVE-2025-25257 PoC enables remote code execution on Fortinet FortiWeb

 | 

Wing FTP Server flaw actively exploited shortly after technical details were made public

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 53

 | 

Security Affairs newsletter Round 532 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

McDonald’s job app exposes data of 64 Million applicants

 | 

Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

 | 

U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

 | 

UK NCA arrested four people over M&S, Co-op cyberattacks

 | 

PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

 | 

Qantas data breach impacted 5.7 million individuals

 | 

DoNot APT is expanding scope targeting European foreign ministries

 | 

Nippon Steel Solutions suffered a data breach following a zero-day attack

 | 

Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

 | 

Hackers weaponize Shellter red teaming tool to spread infostealers

 | 

Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

 | 

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

 | 

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Cyber Crime
  • Malware
  • Security
  • Zeus P2P variant against Facebook,Hotmail,Yahoo & Google Mail

Zeus P2P variant against Facebook,Hotmail,Yahoo & Google Mail

Pierluigi Paganini May 17, 2012

The experts of Trusteer firm have discovered a new variant Zeus malware responsible of  a series of attacks against principal internet service providers. The variant carried out attacks using the P2P network architecture targeting users of Facebook, Hotmail and Yahoo and  Google Mail.

What is Zeus?

The Zeus Trojan is one of most notourios malware that we have found in several cases, we can consider it as one of the better products of the malware industry. The malware is really appreciated by cyber criminals that have improved its feature over the months. Zeus Trojan is born as an agent able to steal banking information by logging keystrokes and form grabbing, it is spread mainly through phishing and drive-by downloads schemes.

With an eye on the malware distribution model and support services, commonly referred to as “software-as-a-service”, I point out the ZeuS offshoot, Citadel, to true web store advertised on several members-only forums that proposed malicious hackers developments .

Recently I reported the news on the commercial distrubution of the famous Zeus Trojan, a malware designed as an open project that can be customized with new features to meet customer demands. Consider that the several Zeus botnets are estimated to include millions of compromised computers (around 3.6 million in the United States). As of October 28, 2009 over 1.5 million phishing messages sent on Facebook Were with the purpose of spreading the Zeus’ Trojan . Regarding ZeuS diffusion I suggest the consultation of the web site https://zeustracker.abuse.ch/ that provides updated statistics on the localizzation of the Command&Control servers of the botnet based on the agent. Between the huge quantity of statistics presents I have found a couple of issue that I consider really indicative the Average Antivirus detection rate (last 60 days) and the list of the Top C&C servers.

The  schema of the new scam

The principle used to trick unsuspecting users is simple, the cyber criminals behind the malware with the intent to steal user’s debit card data, have offered discounted product through the famous platform. The malware relies on the psychological conditioning of the user that seeing attractive discounts offered on the famous platforms is pushed to believe them as genuine.

The scams exploit the trust relationship between users and these well-known service providers, as well as the Visa and MasterCard brands, to steal users’ debit card data. Let’s in details the features of the principal attacks observed.

The malware variant that hit Facebook uses a web injection mechanism to propose to the  victim a special price reduced of 20% for purchases made with Visa or MasterCard debit card using their Facebook account. The scam promises in fact that after registering debit card information, the victim will earn cash back when they purchase Facebook points.

Of course to the user is proposed a form for the registration of debit card info that is equivalent to a legitimate one also in term of proposed layout.

A transaction using Verified by Visa/SecureCode will initiate a redirect to the website of the card issuing bank to authorize the transaction. Each issuer could use any kind of authentication method (the protocol does not cover this) but typically, a password-based method is used, so to effectively buy on the Internet means using a password tied to the card.

Different schema has been implemented in the attacks against Hotmail, Google Mail and Yahoo users, in this cases Zeus variant offers an new way of authenticating to the 3D Secure service offered by the Verified by Visa and MasterCard SecureCode programs.

3-D Secure is an XML-based protocol designed to be an added layer of security for online credit and debit card transactions. It was developed by Visa with the intention of improving the security of Internet payments and offered to customers as the Verified by Visa service. Services based on the protocol have also been adopted by MasterCard, under the name MasterCard SecureCode.

The basic concept of the protocol is to tie the financial authorization process with an online authentication. This authentication is based on a three domain model (hence the 3-D in the name). The three domains are:

  1. Acquirer Domain (the merchant and the bank to which money is being paid).
  2. Issuer Domain (the bank which issued the card being used).
  3. Interoperability Domain (the infrastructure provided by the card scheme, credit, debit, prepaid or other type of finance card, to support the 3-D Secure protocol).

The protocol uses XML messages sent over SSL connections with client authentication (this ensures the authenticity of both peers, the server and the client, using digital certificates).

The malware operates in the phase of the online transaction used by merchants to require cardholders to authenticate using their personal 3D Secure password.

In the scam that circumvents Google Mail and Yahoo users claims, the customer is convinced that linking his 3D code to the mail account making it available for future purchases. The malware propose a sort of single sign on schema, convincing the user that simply registering its data on the mail platform he wil be able to perform purchases logging to its email account using the protected services Google Checkout and Yahoo Checkout.

The advantage proposed to the user is of course a secure channel for his online transactions. Also in this case is proposed to the user a fake page to collect the victim’s debit card information reporting the logos of Visa and MasterCard circuits.

A similar schema has been adopted also against Hotmail offering a free new security service.

A multi purpose malware

Zeus is undoubtedly one of history’s longest-running malware used for different purposes, just remember that the dangerous malware was used to strike the hacktivists of Anonymous. On that occasion, a modified variant of the tools used in the attacks infected with Zeus malware, in this case the tool Slowloris, was spread using the standard channels as Pastbin. The hackers have copied and pasted an original entry Pastebin Anonymous Replacing the download link with an infected version. In this way the agent was extremely rapid diffusion.

The example is purely demonstrative, we don’t know who is behind the hack, but what really worried about is the extensive use of malware by cybercrime an governments for operations of cyberespionage.
The approach pursued for these agents is evolutionary and permanently eradicate a threat that evolves over time in unexpected ways in the future will require an increasing effort.

Pierluigi Paganini

 


facebook linkedin twitter

Anonymous Citadel code injection Cybercrime Cyberespionage Facebook fraud Google Google Mail Hotmail malware MASTERCARD P2P phishing scam VISA Yahoo Zeus

you might also like

Pierluigi Paganini July 14, 2025
Spain awarded €12.3 million in contracts to Huawei
Read more
Pierluigi Paganini July 13, 2025
Patch immediately: CVE-2025-25257 PoC enables remote code execution on Fortinet FortiWeb
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Spain awarded €12.3 million in contracts to Huawei

    Intelligence / July 14, 2025

    Patch immediately: CVE-2025-25257 PoC enables remote code execution on Fortinet FortiWeb

    Security / July 13, 2025

    Wing FTP Server flaw actively exploited shortly after technical details were made public

    Hacking / July 13, 2025

    SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 53

    Breaking News / July 13, 2025

    Security Affairs newsletter Round 532 by Pierluigi Paganini – INTERNATIONAL EDITION

    Breaking News / July 13, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT