Subscribe to the RSA blogs and podcasts for the latest posts and security updates!
The constant hustle and bustle of underground fraudster markets is a bountiful source for any and all types of fraud commodities and partnerships formed between seemingly anonymous criminals in the virtual world. And yet, one very prominent vertical, if we may, stands far out from the rest—credit card shops and just about everything that has [...]
Hello Man in The Middle, so we meet again. It appears that lately, this older and slower adversary is back in the wire fraud business, this time more organized and featured in better-orchestrated Trojan attacks than ever before. MiTM attacks were rather prominent through 2009 and used by most fraudsters to commit online banking fraud. MiTM [...]
Word of yet another historical moment in cybercrime is quickly spreading through the fraud underground and through the legitimate web – the Zeus Trojan’s source code has been made public and is now freely available to anyone wanting a piece of the infamous old “King of Trojans.”
Warlike tactics are employed by each of the factions; security companies and financial institutions – the main defensive arm of the faction – build barricades to stop attackers. The fraudsters, on the other hand, try to outflank them by finding ways to circumvent these defenses, whether those are based on technology or on social engineering. Another tactic that is often used in real-life wars is the targeting of the enemy’s infrastructure.
In this ZeusiLeaks file I’ll talk about how fraudsters tap the communications of a company’s executive board – the holy grail of inside info. Quick reminder: WikiLeaks, the largest leak of data the world has seen? Nonsense! Trojans like Zeus and SpyEye lurk on millions of personal, corporate and government PCs, stealing data 24 by [...]
The RSA Research Lab has analyzed one of the most recent SpyEye v1.3 variants and has determined beyond doubt that the new hybrid Trojan is in fact already active in the wild. RSA’s researchers were able to reverse engineer the code and assert that it does indeed contain an exact code piece that has long been part of the Zeus Trojan’s sophisticated HTML injection mechanism. Snapshots of the assembly code are included below (See Figure 1 and Figure 2), courtesy of the RSA Research Lab.
On Friday, January 14, 2011, McAfee posted a blog entry titled “Combined Zeus/SpyEye Toolkit Announced”, based on a fraud forum post by “Hardersell”, in which this individual supposedly offers the much-anticipated SpyEye-Zeus hybrid Trojan for sale. Hardersell’s comments were published in an open, low-grade Russian-speaking hacking/carding forum, making its credibility lower than the more prestigious, exclusive, closed Russian-speaking forums.
Just as technology continues to innovate and evolve (3D televisions anyone?) cyber criminals must also innovate to keep their “consumers” engaged. A few weeks ago, we started seeing reports of a new and improved Zeus Trojan – dubbed Zeus 2.1. This new version includes features which help it avoid analysis and hostile takeover.
Underground fraudsters currently debate whether the Zeus – SpyEye merger reported by Brian Krebs is real or just propaganda by SpyEye authors following a period of mysterious silence from the Zeus writers. One thing is clear: the dramatic announcement has left the fraud scene with more questions than answers.
The bloodhounds are continuing to register notable victories over online crime rings. This time there were a massive series of arrests done in US, UK and other countries in relation to fraudsters spreading or cashing out on a major Zeus Trojan operation, which has been pestering US businesses for the past 18 months.
