ZeuS malware spreads to smartphones and LinkedIn

28 Sep 2010

The ZeuS malware is coming of age and the infections are going to get a lot worse, says Trusteer, the secure browsing services specialist.

ZeuS malware has already been pushed extensively to users of Web 2.0 and social networking sites such as Facebook, Twitter and, most recently, to users of the business social networking site, LinkedIn.

In the UK, ZeuS malware has been used to swindle from thousands of bank accounts.

Malware is also being modified by cyber criminals using coding toolkits to attack smartphone users. Recent postings by S21sec about ZeuS targeting smartphone users are just the tip of the iceberg when considering the potential of these attacks.

ZeuS Mitmo

“The spread of Zeus into mobile platforms marks the beginning of a new era of malware mobility,” said Mickey Boodaei, Trusteer’s CEO.

“What’s dangerous in this approach is that the same malware controls two communication channels – the PC and the mobile device and as a result can launch extremely effective attacks against banks and organisations that rely on these two channels for authentication and transactions.”

“Many enterprises rely on two-factor authentication to protect against unauthorised remote access to their networks and sensitive corporate applications. Malware such as Zeus which can reside both on the PC and the mobile device can easily bypass these protections.

“For online banking, the potential of the attack extends way behind authentication. Criminals can also control incoming voice calls and re-direct them to the attackers. So when the bank detects a suspicious transaction and calls the customer for confirmation, the criminals can pick up the phone on the other side and do that on behalf of the customer.

“By controlling both the phone and the PC, criminals achieve devastating power. Frankly, I’m amazed that it took them so much time to do this,” said Boodaei.


Boodaei said social networks are easy targets for malware. As a LinkedIn user, I’ve received a few email alerts where I didn’t really know if they’re genuine or not. The first thing you want to do when you get a LinkedIn invite from someone you’re not sure you know is to click the View Profile link embedded into the email. These emails also include links to accept and reject invitations.

“LinkedIn are not alone here and many of the social networks send emails with links and even experienced users may be fooled into clicking one of these really well-crafted emails. Once the criminals gain control of a social network account they have access to the victim’s list of friends and they can send out more targeted messages to these friends, and raise the risk of getting infected even higher.”

He said that to defend against attacks, enterprises and users need to use secure browsing services in addition to gateway-level firewalls, antivirus and anti-spam defences.

“Targeting social network users for distributing financial malware is a smart move for the criminals. These attacks are much more likely to succeed than phishing attacks on banks.

“Once ZeuS is installed on the user’s computer, then the criminals get access not only to login information but also to real-time transactions and other sensitive information on the victim’s computer,” said Boodaei.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years