Researchers have
uncovered a new variant on the Zeus financial malware, which looks to
recruit users as money mules to process cybercrime transactions.
According to a report from security
vendor Trusteer, new variants on the malware detect when a user is
trying to access popular jobs site CareerBuilder and injects code into
local HTML files.
First detected as a financial malware
tool, the Zeus trojan installs itself on infected PCs and functions by
injecting code into otherwise legitimate HTML files. The malware is set
up to detect when a user is accessing a number of popular sites and to
harvest account details or ask for additional personal information. The
technique allows Zeus to covertly perform attacks without the need to
compromise any of the actual host servers or sites themselves.
In the case of CareerBuilder, researchers
have found that Zeus injects code claiming to be job offer links. Users
clicking on the injected links are then taken to a third-party site,
which attempts to lure users in with jobs such as mystery shopper
positions.
In reality, however, experts say users
are being recruited as money mules for an organised cybercrime
operation. Often operating without any knowledge of wrongdoing, money
mules are commonly used by malware operators to receive payments from
compromised accounts then resend the money as a wire transfer or by
other means of laundering.
Trusteer said in its report: “While HTML
injection is typically used for adding data fields or to present bogus
messages, in this case we witnessed a rare usage that attempts to divert
the victim to a fake job offering.
“Because this redirection occurs when the
victim is actively pursuing a job, in this case with CareerBuilder, the
victim is more likely to believe the redirection is to a legitimate job
opportunity.”
Because neither the CareerBuilder site
itself nor any servers have been compromised, users not infected with
Zeus are not in danger from the attack. Experts advise users to guard
against Zeus and other malware attacks by keeping system software,
browser plugins and antivirus software patched and updated.
No comments:
Post a Comment