Zeus botnet gang targets Charles Schwab accounts

Attacks vulnerable PCs to steal full access to investments, cash

Criminals are using a Zeus botnet to pillage Charles Schwab investment accounts, a security researcher said Friday.

The attacks show that while authorities were arresting more than 100 members of one Zeus gang, rivals were adding lucrative investment accounts to their usual targets of online banks.

"They're expanding their horizons," said Derek Manky, project manager for cybersecurity and threat research at Sunnyvale, Calif.-based Fortinet. "We've seen some discussion of investment accounts [being targeted] by Zeus, but I've never seen proof that they actually are."

The Zeus infections stem from messages posing as LinkedIn reminders that include disguised links to malicious sites. Those sites then hit the Windows PC with numerous drive-by exploits, looking for one that works. Among the exploited vulnerabilities: the Windows Help & Support Center bug disclosed in June by a Google security engineer and patched by Microsoft in July.

Fortinet's analysis of the malware's configuration file uncovered evidence that the attacks pilfer money from Charles Schwab investment accounts, said Manky.

After sneaking onto a PC via an exploit, the Zeus bot watches for, then silently captures log-in credentials for a large number of online banks, as well as usernames and passwords for Schwab accounts. The attack code also injects a bogus form that asks victims to provide additional information the thieves can later use to confirm that they are the legitimate owner of the Schwab investment account. On that form are fields asking for the user's mother's maiden name, driver license number and employer.

Manky speculated that the criminals based the original infection on fake LinkedIn messages because they expected a high correlation between LinkedIn membership and investment account ownership.

The Zeus attacks began in late September and peaked in early October, said Manky, who warned that because criminals commonly conduct campaigns in waves, more are likely. The botnet's command-and-control domains are still functioning, still receiving stolen information from infected PCs and still transmitting new orders to the botnet.

"They're injecting code silently into the live session while you're at the [legitimate] Schwab site," said Manky of the fake form. It would be impossible for a user to know that the form was bogus. "As far as you're concerned, you're still in a valid secure session, since they're piggybacking this malicious content."

Manky said the attackers use the injected form to acquire additional authentication information so that they can parry confirmation queries after they conduct online transactions using the stolen usernames and passwords.

Like most Zeus botnet gangs, this one siphons cash, then uses "money mules" to transfer funds to the brains behind the organization, Manky said. With access to investment accounts, the crooks can not only vacuum up cash, but also sell securities to restock the cash account for further withdrawals.

Although police in the U.S., the U.K. and Ukraine collared more than 100 members of a Zeus crimeware gang three weeks ago, experts warned that the arrests wouldn't stop the botnet. Other gangs can simply step into the void.

Manky agreed. "Zeus is widely supported, has such a large pool of developers now, that the cat and mouse game will just continue," he said.

Join the PC World newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags Cybercrime and HackingFortinetMicrosoftsecurityLinkedInfinanceMalware and Vulnerabilitiesindustry verticalsFinancial ServicesCharles SchwabGoogle

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?