Zeus virus swindles thousands of UK banking customers

12 Aug 2010

Using a variant of the Zeus Trojan virus, cybercriminals have ripped off users of online banking services in the UK by logging keystrokes, amounting to theft of over half a million sterling.

Online security firm M86 Security Labs uncovered the scam and yesterday published its whitepaper on the events including how the criminals targeted customers with over £800 sterling, amounting to £675,000 sterling taken in total.

A paper published by the security firm detailed how an organised group of cybercriminals launched a scheme targeting customers of one particular financial institution between 5 July and 4 August 2010, compromising around 3,000 customer accounts.

M86 Security Labs says that the use of a new form of the Zeus virus (a popular choice of Trojan virus amongst cybercriminals) called v3 indicated a new level of technical sophistication.

The virus not only logged keystrokes and collected user data but also carried out illegal banking transactions.

M86 says that several methods were used to spread the v3 virus including infecting legitimate websites with malware, creating fake advertising sites and putting malware laden ads on legitimate sites; all methods used to bait unsuspecting surfers.

However the user ended up coming across this virus online it would install itself on their computer and once the online banking customer accessed their account the v3 Trojan began siphoning off money by initiating an illegal transaction via money mule to the gang of cybercriminals.

“After analysing the data, the system determined whether the user had enough money in the account. It selected the most appropriate mule account to retrieve the money, wrapped all the data and sent it back to the Trojan installed on the victim’s machine,” said M86 in its account of the scam.

“The Trojan then updated the data in the form and sent it to the bank to complete the transaction. The bank received the requested operation and sent back the transaction result as the Trojan continued to listen to the bank response, reporting it to the C&C system.”