New P2P Zeus Variant Targets Popular Sites with Bogus Offers

Facebook, Gmail, Yahoo and Hotmail users should beware of rogue rebate offers and new secure payment options aimed at getting them to part with their debit card information.

Earlier this week Amit Klein, CTO of Trusteer, announced the discovery of a peer-to-peer variant of the Zeus platform that leverages trusted relationships and well-known brands to convince users to sign up for convenient services and better secure debit card transactions. On each site, the attack displays a little differently.

Facebook, Gmail, Yahoo and Hotmail users should beware of rogue rebate offers and new secure payment options aimed at getting them to part with their debit card information.

Earlier this week Amit Klein, CTO of Trusteer, announced the discovery of a peer-to-peer variant of the Zeus platform that leverages trusted relationships and well-known brands to convince users to sign up for convenient services and better secure debit card transactions. On each site, the attack displays a little differently.

“In the first attack against Facebook, the malware uses a web inject to present the victim with a fraudulent 20% cash back offer by linking their Visa or MasterCard debit card to their Facebook account,” Klein wrote in a blog post. “The scam claims that after registering their card information, the victim will earn cash back when they purchase Facebook points. The fake web form prompts the victim to enter their debit card number, expiration date, security code and PIN”

The fraudulent message even includes a footnote explaining the debit card PIN is for verification purposes only and should never be disclosed to anyone, including family and friends.

In attacks against Gmail, Hotmail and Yahoo users, the malware offers a new  authentication service from Verified by Visa and MasterCard SecureCode supposedly used by 3,000 online stores since January 1, 2012.

Many merchants require a 3D Secure password to complete an online transaction; Klein notes this attack doesn’t compromise 3D Secure but instead uses the Visa and MasterCard brands to add credibility.  

The scam that targets Google Mail and Yahoo users claims that by linking their debit card to their web mail accounts all future 3D Secure authentication will be performed through Google Checkout and Yahoo Checkout respectively. It also maintains Hotmail users lacking the 3D Secure code won’t be able to use Hotmail to make online purchases. The fraudulent site also claims participation in the program protects against future fraud.

Trusteer officials believe this may be the first time a web injection attack has targeted 3D Secure. A company spokesman on Wednesday said it’s not sure how many victims may have fallen for the scam but the numbers could be considerable given the clever social engineering and popularity of the targeted service providers.

 

Suggested articles