Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Malware

Facebook Zeus malware targeting bank accounts

Principal security firms detected a new variant of Facebook Zeus malware that is exploiting the popular social network to target user’s bank accounts. A Facebook Zeus malware variant (aka ZeuS/ZBOT) has been detected by principal security firms confirming the longevity of malicious code and the ability of cybercrime to customize it according to its needs. Symantec […]

Facebook Zeus malware targeting bank accounts

Principal security firms detected a new variant of Facebook Zeus malware that is exploiting the popular social network to target user’s bank accounts.

A Facebook Zeus malware variant (aka ZeuS/ZBOT) has been detected by principal security firms confirming the longevity of malicious code and the ability of cybercrime to customize it according to its needs.
Symantec was one of the first companies to detect the Facebook Zeus virus and its capability to drain user’s bank accounts,  the malicious code exploits phishing messages as a method of propagation. A compromised account  is used to automatically send messages to its contact with links to ads, usually to video or product.
The new Facebook Zeus instance is able to infect only Windows users, there is no news of variant that targeted Linux or Mac OS X systems.
The Facebook Zeus malware appears very complex, it is able to replace a bank’s Web site page with a fake one used to capture social security number data and other information from the victims. Once again cyber criminals don’t use directly the credentials collected but re-sold them on the black market within a Fraud As A Service (FaaS) model.

How does Facebook Zeus steal victim’s credentials?

ZBOT connects to a remote site to download its encrypted configuration file containing the following information:

  • Site where an updated copy of itself can be downloaded
  • List of websites to be monitored
  • Site where it will send the stolen data

Facebook Zeus communication CeC server

“These configuration files contain banks and other financial institutions that ZBOTs monitor in browsers. Since configuration files are downloaded from remote sites, the contents of these files may change any time. Malicious actors can change the list of sites they want to monitor on the affected system.” reported TrendMicro post.

 Facebook Zeus statistics

According to Trend Micro the pages are being hosted by the Russian criminal gang known as the Russian Business Network. Despite Facebook is aware of the diffusion of the Facebook Zeus malware since now it appears to have not taken clomourous countermeasures.  Eric Feinberg, founder of the advocacy group Fans Against Kounterfeit Enterprise (FAKE) declared that has tried to warn Facebook on the diffusion of the cyber threat. I contacted Mr Feinberg requesting major info on the event and he told me:

“Best way to describe how we uncover the Zeus Malware is as follows. I observed that the Russian Business Network was created Fake Facebook Profiles that were posted .tk links to websites selling counterfeit Merchandise. The .tk links caught my attention when i did url query of these .tk links url query report listed these as likely hostile and from the Russian Business Network. I turn the links over to a colleague who identified the Zeus Botnet”

The majority of the victims of Facebook Zeus malware is located in the USA and UK, other cases are registered all over the world including India, Russia and South Africa.
The resurrection of Facebook Zeus variant is not surprising, cybercriminal underground Also never stops to make a profit on old cyber threats and the Prolific business is daily growing in the underground.
Pierluigi Paganini
(Security Affairs – Zeus, cybercrime, Facebook)