Tuesday, January 07, 2014

Zeus Financial Crime Malware targets Credit Unions and smaller banks

A trend that we've been seeing in both phishing and malware is that criminals are beginning to aim lower in the Financial services market. While it is still true that some of the biggest financial institutions are regularly targeted by phishing and malware, there is an increasing trend in targeting SMALLER institutions as well. But are smaller institutions worth the effort? They are when the criminals can do a targeted delivery, *OR* when the small brand is actually a representative of a group of brands all serviced by the same Financial Services Company's platform.

Small brands in Zeus

At Malcovery Security our malware analysts review malware that is being distributed via spam email messages on a daily basis. Quite often the malware is related to financial crimes, such as the Zeus malware, which has multiple vectors of attack. First, it is important to note that while Zeus is a financial crimes trojan, stealing userids and passwords and allowing advanced attacks to your bank account. But Zeus is ALSO a "backdoor" allowing criminals to take full control of your computer at any time. Zeus is ALSO a means for delivering additional malware. For example, in today's spam messages imitating Wells Fargo bank sending you "Important Bank Documents", which we received over 4500 times in the Malcovery Spam Data Mine, recipients who opened the attached "Bank Documents" would really have been opening a malware downloader (Current detection: 14 of 47 at VirusTotal) that would download Zeus malware (currently detected by 10 of 47 AV products at VirusTotal), that would update itself to a less detectable version of Zeus ((5 of 47 detections) and then download CryptoLocker.

While Zeus captures pretty much all userids and passwords, it can be tuned to pay special attention to certain banks by setting a list of URL Substrings in a place on your computer that will compare them to anything being visited by your browser. If you visit one of these "targeted" strings, Zeus might be instructed to send the criminal screenshots every time you click your mouse, to send the criminal all of the contents of your web forms, or even trigger to ask you for your Two Factor Authentication. We can learn about what the criminals are targeting by grabbing those URL Substrings out of memory and comparing them to URL Substrings we've seen in other instances of Zeus.

On December 27, 2013, Malcovery's "Today's Top Threat" featured report was about a spam message that claimed to have an attached VoiceMail for you to listen to. Similar to today's malware distribution, a small Dropper/Downloader was used to download a copy of Zeus (in this case from the domains oilwellme.com and mistubishidehumidifiers.co.uk). (VirusTotal report - 11 of 48 AV products detected this at the time of our report.)

When we dumped memory for that copy of Zeus, we were surprised to see a very long list of Credit Unions! Please be sure to understand that we are not saying Zeus does not target "big banks" -- we still see the ANZ, Barclays, BBVA, BMO, CapitalOne, Chase, Citi, Discover, HSBC,

Police Credit Union
www.policecu.com.au
SGE Credit Union
cuviewpoint.net/mvpsge/
Swan Hill Credit Union
cuviewpoint.net/mvpstmarys/
Woolworths Employees Credit Union
Encompass Transport Credit Union
ibank.encompasscu.com.au
Family First Credit Union
cuviewpoint.net/mvpfamilyfirst/
Goulburn Murray Credit Union
www.policecu.com.au

I've pictured just a few of the targeted Credit Unions above, but there were more than FORTY credit unions just targeted in that single version of Zeus!

In today's "Wells Fargo Spam" version of Zeus, we had several other small brands targeted:

Vancouver City Savings Credit Bank
vancity.com
Jefferson Bank of Missouri
jefferson-bank.com
Nashville Citizens Bank
nashvillecitizensbank.com
Elan Financial Services
myaccountaccess.com
First Data StatementLook
statementlook.com

Why are small brands targeted? Sometimes it may be because the malware delivery has been targeted to a particular geographic location where the small bank is prominent. More likely, it is because the criminals have some local resource in that location that is able to assist with money muling and "cashing out" compromised accounts.

Elan Financial Services is an interesting one. By targeting this portal, the criminals may be able to target the 1600 banks and 400 credit unions that a financial services company such as Elan may service through their portal. FirstData's StatementLook service is another targeted today, which also serves as an EBPP (Electronic Bill Payment & Presentation) allowing many smaller boutique credit card providers to off-load the electronic banking aspects of their service to a central location. Many other portals for online banking and financial services for smaller banks and credit unions can also be found from time to time in the Zeus Malware Configuration files (also known as ".BIN" files). For example, many small banks use the "NetTeller" service, or "MyCardStatement.com", or other types of Integration services, such as "FundsDirect.co.uk" which is a front end to 2300 different investment funds, all also targeted by today's Zeus.

Small Banks as Phishing Targets

Of course it isn't just malware that is beginning to target smaller banks. Last year was a record-breaking year for the number of phishing sites that were seen by Malcovery -- more than 700 different brands were targeted! Some of the smaller brands that we've seen over the last year included not only Banks, but also Credit Unions, and even regional Cable systems!

First Convenience Bank (Texas)
with phishing servers in Iran
First Niagara Financial Group
with phishing servers in Pakistan
Buckeye Cable Systems
with phishing servers in Poland and Sweden