Online Banks Exposed to an Intelligent Trojan that Transfers Money and Fakes Account Balances

Online Bank Security

Image credit: TNW

Zeus, a Trojan that earlier could only copy usernames and passwords of online banking customers has transformed into a new super intelligent Zeus v3, which can self initiate fund transfers to different bank accounts. Little over a month old Zeus v3 is draining bank accounts in UK.

A new version the notorious “Zeus” virus which cannot be detected by traditional firewalls, has stolen £675,000 from about 3,000 online customers of a British bank, the experts claimed. The funds have been transferred out of the online accounts, which are held by businesses and individuals, since early July.

Experts at M86 Security, which specializes in online fraud, said the virus checks to see how much money the accounts contain, steals it, and covers its tracks by showing the customer fake bank balances.

What makes this Trojan unique is its sophistication and intelligence. 

  • The gateway for this Trojan is no more restricted to dubious websites. It can infect legitimate and popular websites with malware and gain an entry on user machines through genuine looking but malicious advertisements served on these sites
  • Once the Trojan is installed on victim’s PC, it lies inactive till the time victim logs in to online banking.
  • Once logged in, the Trojan initiates money transfers from victim’s account to the fraudulent beneficiaries via other compromised bank accounts.
  • After transferring money, Zeus even serves a fake account balance screen.
  • The Secured Socket Layer (SSL), a method used to encrypt data during transfer from client machine to bank server isn’t good enough as Zeus gets hold of the data just before it is encrypted.
  • All this happens in the background while the user in online and busy performing other banking tasks.

Zeus is not all that cruel. It is known to spare the last 50 bucks in the victim’s account.

A Few Tips

Dual Factor Authentication: Some of the banks use dual factor authentication and require their customers to enter a randomly generated numeric code to log in and each time a money transfer transaction is initiated.

Although little cumbersome, if your bank offers some kind of dual factor authentication / security token device, opt in.

Mobile Alerts: Almost all banks these days offer to deliver (mostly free) transaction alerts to your mobile phone. Customers can also specify events that should trigger these alerts.

A timely alert of any unexpected debit (or credit – although desirable, it could be an indication of compromised account) may be useful in arresting further damage or for taking an appropriate timely action. Register your mobile phone with your bank to receive account alerts. Remember to update the mobile number if you change your number.

Funds Transfer Limits: Online banking offers a facility to transfer funds to own accounts as well as other 3rd party accounts. It also allows customers to set limits for each such transfer with a daily transaction limit. Review your online fund transfer limits and set them to minimum required.

Isn’t Zeus intelligent enough to amend the pre-specified transfer limits on the fly? Well, even if it develops that intelligence, the fact that most banks take about 24 – 48 hours to activate the revised limits would prevent any fund transfer beyond your specified transfer limit (I know how many times I have cribbed over this delay but it’s not always bad).

Pre-designated Transfers: If you are required to frequently transfer funds to a select few 3rd party accounts, use the facility of pre-designated transfers rather than non-designated third party transfers. It is relatively safer to set up higher transfer limits for pre-designated fund transfers.

Check Balances: Check your account balances more often over phone banking or every time you use ATM. Avoid visiting your bank branch to check account balances, it may cost you money.

This article was first published by Anand on Indiabanks

Leave a Comment

Your email address will not be published. Required fields are marked *