Wednesday, September 29, 2010

Zeus a greater risk to IE & Firefox users

Police have arrested nineteen people suspected of stealing millions from online bank accounts with the aid of a computer virus. The suspects are alleged to be part of a gang that has stolen at least £6m in the past three months. But while this plot may have been disrupted, a risk still exists for thousands of computer users who fail to protect themselves from hackers, fraudsters and virus attacks.

"We believe we have disrupted a highly organised criminal network, which has used sophisticated methods to siphon large amounts of cash from many innocent people's accounts, causing immense personal anxiety and significant financial harm - which of course banks have had to repay at considerable cost to the economy," Detective Chief Inspector Terry Wilson of the Metropolitan Police said. 

But he advised computer users to be vigilant and increase their guard. "Online banking customers must make sure their security systems are up to date and be alert to any unusual or additional security features requested which is at variance with their normal log-on experience. Greater public awareness and education will make it harder for personal details to be compromised and for this type of fraud to be carried out." [BBC]

The virus responsible in this case is known as ZeuS, a Trojan horse that steals banking information by keystroke logging. Zeus is spread mainly through drive-by downloads and phishing schemes. ZeuS has been around for sometime but the publicity surrounding it has only recently made major headlines [Sky News].

First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009, security company Prevx discovered that ZeuS had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster, ABC, Oracle, Cisco, Amazon, and BusinessWeek.

ZeuS' current botnet is estimated to include millions of compromised computers, around 3.6 million in the United States alone. As of October 28, 2009 ZeuS has sent out over 1.5 million phishing messages on Facebook and more recently LinkedIn users were targeted with attacks [ZDNet].

Such attacks have been verified on several versions of Internet Explorer and also affects Firefox, said Cisco senior security researcher Henry Stern. ZeuS may inject HTML into the pages rendered by the browser, so that its own content is displayed together, or instead of, the genuine pages from the bank's web server. Thus, it is able to ask the user to divulge more personal information, such as payment card number and PIN, one time passwords etc.

ZeuS is very difficult to detect even with up-to-date antivirus software. This is the primary reason why its malware family is considered the largest botnet on the Internet. Security experts are advising that businesses continue to offer training to users to prevent them from clicking hostile or suspicious links in emails or on the web while also keeping up with antivirus updates. Symantec, one of the leading anti-virus companies, claims its Symantec Browser Protection can prevent "some infection attempts", but it remains unclear if modern antivirus software is effective at preventing all of its variants from taking root. Even some mobile phones are now being targeted [eWeek].

While using more secure browsers like Google Chrome will help prevent some attacks it is also important to observe other security measures. One repeated measure is to use different passwords for every website registration and where possible change passwords regularly. Using mnemonic passwords can prevent some but not all attempts to violate accounts. Real words, pet names and so on are easily guessed, but mnemonic passwords are much harder to crack. An example might be Richard Of York Gave Battle In Vain which gives the password ROYGBIV. This maybe made more difficult to crack by substituting numbers for certain letters, thus ROYGBIV becomes R0YGB1V. Using longer mnemonics, upper and lower case and special symbols makes for even stronger passwords, but can still be constructed for easy recall. 

It goes without saying that antivirus software should be kept up-to-date and scans are performed regularly. Paid versions are generally better but free versions of such software are better than nothing. Data on your computer should also be backed up regularly, either to the cloud, to discs or external hard-drives, or even all three. 

Of course there is no absolute security. As with driving a car there are inherent risks. Taking precautions will help and some are obligatory. Ignoring driving regulations will lead to accidents or a brush with the law and not locking your vehicle might lead to theft. Using a computer, especially connected to the Internet, poses risks too. Death might not occur by failing to observe certain advice, but failing to protect yourself from ID theft, bank fraud or data corruption may be very uncomfortable and costly. If you do become a victim of a cyberattack you are not alone. Even nation states are not immune from viruses as recent attacks in Iran show [Sky News / CNN]. This is little consolation for the damage brought by such attacks.

See also : tvnewswatch - web users still at risk from clickjacking / tvnewswatch - fake software invites attacks

tvnewswatch, London, UK

No comments: