ZeuS Attack! £6 Million UK Ring and LinkedIn Spam

Image from Cisco Systems' blog.

Remember ZeuS? It’s a Trojan that steals banking information by keystroke logging, and according to the BBC, it’s still kicking. This week, London’s Metropolitan Police Central e-Crimes Unit arrested fifteen men and four women, allegedly members of a gang that’s stolen £6 million in over the last three months. Individual users were targeted, resulting in the siphoning of money from their accounts. Meanwhile, yesterday CNET reported that faked LinkedIn emails are spreading the ZeuS trojan anew, with the largest such attack to date accounting for as much as 24% of all spam sent within a 15-minute period.

The BBC on the UK arrests:

Detectives said that the gang had harvested log-in details operated by a range of major banks. Once the gang had the personal details, they transferred cash into accounts set up solely to gather the money before it was laundered onwards.

Detective Chief Inspector Terry Wilson of the Metropolitan Police said it was likely that the amount known to have been stolen would “increase considerably” as the investigation continues.

Also known as Zbot, PRG,Wsnpoem, Gorhax, and Kneber, Zeus is by drive-by downloads and phishing, and first surfaced in July 2007. In 2009, it compromised “over 74,000 FTP accounts on websites websites of such companies as the Bank of America, NASA, Monster, ABC, Oracle, Cisco, Amazon, and BusinessWeek,” according to Wikipedia. It’s had several outbreaks since then, including several earlier this year — in April and then again in July. It also targets mobile phones.

Of the LinkedIn attacks, Cisco’s blog reported a huge increase in the percentage of all spam accounted for by the attack, to the point where messages in this attack represented as much as a quarter of all spam in a given 15-minute period.

Cisco’s report isn’t clear at all on what it means by “the largest such attack” — the largest LinkedIn attack, the largest ZeuS attack, the largest trojan attack — but the scale of the attack is clearly enormous. Sez Cisco:

This is not the first time that criminals have subverted brands associated with online social media. The criminals controlling the Cutwail botnet routinely send email messages impersonating major social networks and governmental organizations. What makes this attack unique is the combination of the extremely high volume of messages transmitted, the focus on business users, and the use of the ZeuS data-theft malware. This strongly suggests that the criminals behind this attack are most interested in employees with access to financial systems and online commercial bank accounts. According to the FBI’s Internet Crime Complaints Center, criminals stole more than US$100m in 2009 from commercial bank accounts using this and similar methods.

Possibly related posts: