This is a most dangerous attack, because it enables the criminal to intercede in your session with an online account. You log in to your bank and once you have supplied your credentials, including any additional codes sent to your cellphone etc., the crook will take over the session – setting up new payees or transferees and robbing your account. Since the malware in your browser is always there, next time you login, the malware will adjust the balance you see to hide the money which it has already stolen.
Zeus is a Trojan horse that steals banking information by Man-in-the-browser (MitB) keystroke logging and Form Grabbing. The following is a description on how Zeus works:
- Infects your browser
- Senses that you are logging in to your bank or a shopping site
- Hijacks the session after you have logged in, showing you a page like ‘server is down’
- Sets up a new payee and sends money from your account to that payee (a money mule)
- Money mule transfers money to fraudster and closes the account
- Next time you log in to see your bank balance, Zeus will intercept it and alter the balance so it does not reflect the money stolen
Recent major innovations make the Zeus trojan extremely dangerous:
- Automatically bypassing two-factor authentication reduces/eliminates manual intervention by the fraudster resulting in huge fraudsters’ productivity improvements and many more persons being able to become fraudsters
- ‘Customizing’ the encryption enables going undetected by Anti-Virus resulting that 1 in 50 PCs likely to be infected and fraudsters going after larger amounts
- Fraudster Rings intend to commit a mega fraud
- Businesses transacting online can no longer sweep this under the rug.
No Adequate Defense Exist
Each traditional authentication factor has been compromised and is ineffective against a Man-in-the-Browser (MitB) attack:
Something you know:
- User ID/Password: stolen or guessed
- Secret questions: guessed
- CAPTCHAs: broken or solved manually
- Two-factor authentication: not effective against MitB
Something you have:
- Hardware Tokens ineffective against MitB as is anything related to the device or IP address
Something you are:
- Fingerprints et al all vulnerable to interception, crooks build databases, once compromised, can’t change it – this makes it easier for the criminals – and no match against MitB
