Researchers at security provider Trusteer have discovered a social engineering malware campaign aimed at stealing victim's financial data.
The operation uses a variant of the Zeus Trojan in combination with elements of social engineering and exploitation of trusted commercial brands to trick targets into giving up their debit card information.
"We've recently discovered a series of attacks being carried out by a P2P variant of the Zeus platform against some of the internet’s leading online services and websites. The attacks are targeting users of Facebook, Google Mail, Hotmail and Yahoo – offering rebates and new security measures. The scams exploit the trust relationship between users and these well-known service providers, as well as the Visa and MasterCard brands, to steal users’ debit card data," wrote Trusteer's Amit Klein.
The Zeus Trojan is widely hailed as one of the most dangerous pieces of malware to ever surface in the wild, and the malicious code continues to be popular for use in criminal operations.
Zeus can lay dormant for long periods until the user of the infected machine accesses targeted information, like banking accounts. Zeus then harvests passwords and authentication codes.
"These webinjects are well crafted both from a visual and content perspective, making it difficult to identify them as a fraud," said Klein.
One aspect of this latest campaign if focused on Facebook users and employs spoofed registration forms branded with well know company logos, according to Trusteer.
"In the first attack against Facebook, the malware uses a web inject to present the victim with a fraudulent 20% cash back offer by linking their Visa or MasterCard debit card to their Facebook account. The scam claims that after registering their card information, the victim will earn cash back when they purchase Facebook points. The fake web form prompts the victim to enter their debit card number, expiration date, security code, and PIN." Klein explained.
A similar campaign is being conducted against Yahoo and Gmail users, again employing what appear to be valid forms with Visa and MasterCard branding.
"The scam that targets Google Mail and Yahoo users claims that by linking their debit card to their web mail accounts all future 3D Secure authentication will be performed through Google Checkout and Yahoo Checkout respectively... The victim is prompted to enter their debit card number, expiration date, security code, and PIN," Klein said.
The operation is yet another example of the power of social engineering, which plays on people's lack of situational awareness and innate tendency to trust. Particularly insidious, this campaign uses security as a pretext for the fraud.
"This attack is a clever example of how fraudsters are using trusted brands – social network/email service providers and debit card providers – to get victim’s to put down their guard and surrender their debit card information... It’s also ironic how in the Google Mail, Hotmail and Yahoo scams, the fraudsters are using the fear of the very cybercrime they are committing to prey on their victims," Klein explained.