The latest X-Force report, published by IBM’s security team, shows that banking malware is growing in sophistication. Cybercriminals have taken advantage of the increase in Internet activity caused by the Rio Olympics to deploy Zeus Sphinx and Zeus Panda malware in Brazil, with the probable support of local accomplices. Zeus Sphinx appeared a year ago in the UK.
Cybercriminals often increase their virulence during sporting events, seeking to take advantage of increased online activity and competitive interest to lure users to phishing pages and malicious spam emails. The Rio Olympics was no exception, according to a report released last week by X-Force, IBM’s security team, which pointed to two banking Trojans dubbed Zeus Sphinx and Zeus Panda. These are malware considered sophisticated that are “a notch above what we usually see in Brazil”, notes Limor Kessem, one of the managers of these subjects within IBM Security. Ordinarily, malware circulates in Brazil in the form of scripts or browser extensions, while Zeus, known for several years, is a more complex modular software, she points out. Both malware strains target Brazilian users, wait for them to access their online accounts, then intercept communications, modify websites, steal credentials and redirect payments. “It is likely that the attackers are based in Brazil or that they use local partners,” said Limor Kessem.
The malware communicates with centralized control servers to download custom configuration files, she explains. In both cases, the files were adapted to attack a payment system and three of Brazil’s largest banking institutions, as well as a bank in Colombia. To define a new banking target, attackers resort to social engineering methods that mimic the appearance of a banking site and require an understanding of banks’ authentication methods. These attacks “are capable of intervening in what Internet users see when they visit the page”, indicates Limor Kessem, explaining that they can, for example, in addition to the username and password, ask the user a social security number or their mother’s maiden name. And this is where it is useful for attackers to have local relays.
No spelling mistakes, a better known banking operation
It used to be that gross misspellings were easily spotted in protests by cyber criminals trying to break into countries whose language they didn’t speak. Now that they are collaborating with people on site, it is easier for them to express themselves appropriately. And they have a better knowledge of how banks work and increase their chances of defrauding accounts. It therefore becomes easy to add a new target, underlines the report of X-Force, it is enough to modify the configuration file. “It’s quite easy to do and criminals can do it at any time.”
The source code is the same for Panda and Sphinx. Both are based on Zeus source code that leaked in 2011 and became a widely used base for commercial malware sold in underground markets, Limor Kessem said, noting that Zeus Panda is highly localized. Apart from local banks, Panda targets a food supermarket, a police administration and a bitcoin exchange office, the latter of which is likely used by criminals to launder their fraudulent earnings.
Zeus Sphinx also targets Brazilian banks, but it also attacks the Boleto Bancário payment platform, which is widely used to send money. It emerged a year ago, first attacking banks in the UK and Australia. Another report published by RSA estimates that the malware that targeted Boleto compromised nearly 4 billion transactions in the previous two years.