Criminals are using a Zeus botnet to pillage investment accounts at US broker Charles Schwab, a security researcher has said.
The attacks show that while authorities were arresting more than 100 members of one Zeus gang, rivals were adding lucrative investment accounts to their usual targets of online banks.
"They're expanding their horizons," said Derek Manky, project manager for cybersecurity and threat research at Fortinet. "We've seen some discussion of investment accounts [being targeted] by Zeus, but I've never seen proof that they actually are."
The Zeus infections stem from messages posing as LinkedIn reminders that include disguised links to malicious sites. Those sites then hit the Windows PC with numerous drive-by exploits, looking for one that works. Among the exploited vulnerabilities: the Windows Help & Support Center bug disclosed in June by a Google security engineer and patched by Microsoft in July.
Fortinet's analysis of the malware's configuration file uncovered evidence that the attacks pilfer money from Charles Schwab investment accounts, said Manky.
After sneaking onto a PC via an exploit, the Zeus bot watches for, then silently captures log-in credentials for a large number of online banks, as well as usernames and passwords for Schwab accounts.
The attack code also injects a bogus form that asks victims to provide additional information the thieves can later use to confirm that they are the legitimate owner of the Schwab investment account. On that form are fields asking for the user's mother's maiden name, driver license number and employer.
Manky speculated that the criminals based the original infection on fake LinkedIn messages because they expected a high correlation between LinkedIn membership and investment account ownership.
The Zeus attacks began in late September and peaked in early October, said Manky, who warned that because criminals commonly conduct campaigns in waves, more are likely. The botnet's command-and-control domains are still functioning, still receiving stolen information from infected PCs and still transmitting new orders to the botnet.
"They're injecting code silently into the live session while you're at the [legitimate] Schwab site," said Manky of the fake form. It would be impossible for a user to know that the form was bogus. "As far as you're concerned, you're still in a valid secure session, since they're piggybacking this malicious content."
Manky said the attackers use the injected form to acquire additional authentication information so that they can parry confirmation queries after they conduct online transactions using the stolen usernames and passwords.
Like most Zeus botnet gangs, this one siphons cash, then uses "money mules" to transfer funds to the brains behind the organization, Manky said. With access to investment accounts, the crooks can not only vacuum up cash, but also sell securities to restock the cash account for further withdrawals.
Although police in the US, the UK and Ukraine collared more than 100 members of a Zeus crimeware gang three weeks ago, experts warned that the arrests wouldn't stop the botnet. Other gangs can simply step into the void.
Manky agreed. "Zeus is widely supported, has such a large pool of developers now, that the cat and mouse game will just continue," he said.