Tuesday, October 20, 2009

More ZeuS Damage

Brian Krebs writes on Security Fix:

I discovered the latest example of this failure just last week, when I spoke with Genlabs Corp., a chemical manufacturing firm based in Chino, Calif. Even though Genlabs' business banking account was protected by a security token code and a password, the thieves still were able to break into the firm's account online and transfer $437,000 to 50 different co-conspirators around the country.

Joyce Nicola, Genlabs' controller, said the thieves infected a PC belonging to a subordinate who was helping to set up new payroll accounts for the company. Normally, Nicola said, when they log in to their account at the bank, the site asks for a user name on one page, then the next page requests a password, and a third and final page requires the user to type in the output from a key fob that generates a new six-digit number every 60 seconds. When the employee logged in to the bank's site on the morning on the 16th, all three of those fields were instead present on the bank's home page.

A local computer forensics expert later determined that an infection from the "Zbot Trojan" (a.k.a., "Zeus") had allowed the attackers to re-write the bank's login screen as displayed on the employee's computer, so that the credentials were intercepted before they could be sent on to the bank's actual Web site. The technician's report on the Zeus infection -- available here [.pdf] -- is worth reading, particularly points 5 and 6, which noted that the infection could not be diagnosed from within Windows.

To date, Genlabs has succeeded in reversing just $48,000 worth of fraudulent transfers, Nicola said.

More here.


Post a Comment

<< Home