Zeus botnet gang targets Charles Schwab accounts

Attacks vulnerable PCs to steal full access to investments, cash

Criminals are using a Zeus botnet to pillage Charles Schwab investment accounts, a security researcher said Friday.

The attacks show that while authorities were arresting more than 100 members of one Zeus gang, rivals were adding lucrative investment accounts to their usual targets of online banks.

"They're expanding their horizons," said Derek Manky, project manager for cybersecurity and threat research at Sunnyvale, Calif.-based Fortinet. "We've seen some discussion of investment accounts [being targeted] by Zeus, but I've never seen proof that they actually are."

The Zeus infections stem from messages posing as LinkedIn reminders that include disguised links to malicious sites. Those sites then hit the Windows PC with numerous drive-by exploits, looking for one that works. Among the exploited vulnerabilities: the Windows Help & Support Center bug disclosed in June by a Google security engineer and patched by Microsoft in July.

Fortinet's analysis of the malware's configuration file uncovered evidence that the attacks pilfer money from Charles Schwab investment accounts, said Manky.

After sneaking onto a PC via an exploit, the Zeus bot watches for, then silently captures log-in credentials for a large number of online banks, as well as usernames and passwords for Schwab accounts. The attack code also injects a bogus form that asks victims to provide additional information the thieves can later use to confirm that they are the legitimate owner of the Schwab investment account. On that form are fields asking for the user's mother's maiden name, driver license number and employer.

Manky speculated that the criminals based the original infection on fake LinkedIn messages because they expected a high correlation between LinkedIn membership and investment account ownership.

The Zeus attacks began in late September and peaked in early October, said Manky, who warned that because criminals commonly conduct campaigns in waves, more are likely. The botnet's command-and-control domains are still functioning, still receiving stolen information from infected PCs and still transmitting new orders to the botnet.

"They're injecting code silently into the live session while you're at the [legitimate] Schwab site," said Manky of the fake form. It would be impossible for a user to know that the form was bogus. "As far as you're concerned, you're still in a valid secure session, since they're piggybacking this malicious content."

Manky said the attackers use the injected form to acquire additional authentication information so that they can parry confirmation queries after they conduct online transactions using the stolen usernames and passwords.

Like most Zeus botnet gangs, this one siphons cash, then uses "money mules" to transfer funds to the brains behind the organization, Manky said. With access to investment accounts, the crooks can not only vacuum up cash, but also sell securities to restock the cash account for further withdrawals.

Although police in the U.S., the U.K. and Ukraine collared more than 100 members of a Zeus crimeware gang three weeks ago, experts warned that the arrests wouldn't stop the botnet. Other gangs can simply step into the void.

Manky agreed. "Zeus is widely supported, has such a large pool of developers now, that the cat and mouse game will just continue," he said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityMicrosoftLinkedInGooglefinanceFinancial ServicesFortinetindustry verticalsMalware and VulnerabilitiesCybercrime and HackingCharles Schwab

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?