Bankers Beware Fast-Spreading Facebook Malware

Crooks long ago began ensnaring social network users to infect their computers with the Zeus Trojan virus. Evidence suggests hackers are using the malware to target bank customers via Facebook in larger numbers.

Internet security company Trend Micro says it's seen the proliferation of the malware kit ZeuS/ZBOT increase since the beginning of the year.

"ZBOT variants surged in the beginning of February and continued to be active up to this month," wrote Jay Yaneza of Trend Micro, in a company blog post. "It even peaked during the middle of May."

The variant embeds itself in a link that appears in Facebook messages and fan pages. If clicked on, the link sends users to cloned bank websites that then capture a person's Social Security number among other sensitive information. That information is later sold on the black market.

Indeed, the practice is old hat, says Satnam Narang, a security researcher at Symantec.

"This is a kind of a known thing in the industry," says Narang. "These social networks have been an area where cyber criminals go because there is an inherent trust placed in those networks. So if I decide to target these users by using a botnet, or I'm a bad guy, I can spread my malware to someone who has a bunch of user accounts."

The timing of the virus' resurgence makes sense, says Robert E. Lee, an Intuit business analyst who specializes in authentication.

"I think the biggest draw to Facebook isn't necessarily the information on Facebook," he says. "I don't think cybercriminals are trying to take over people's social media accounts. As we see more and more sites use Facebook for authentication, taking over Facebook [to obtain users' credentials] makes a lot of sense."

That should provide particular pause to bankers who are considering social login as a method for online customer account access.

There are, however, ways around that, says Lee.

He says that Intuit treats social login as a lower form of sign-on than, say, a traditional username and password.

"We only allow them to perform certain types of transactions, so at some point they can log in with Facebook, but before they do anything we might have additional challenges before we enable that additional access," Lee says.

Once a customer's information is stolen, banks can do little to stop the crime, says Ken Baylor, a research vice president at information security research and advisory company NSS Labs.

"This is all happening on banks' customers' machines," he said in an email to American Banker. "Hopefully the bank's anti-fraud tools can detect it, but since the accounts that have dual approval are classified as low-risk, they likely won't be looking at them as hard as other high-risk accounts."

The difference between a high-risk (one with a lot of cash) and low-risk account (one with not so much) is how much money can be transferred through wire-transfer or ACH, Baylor explains.

That leaves the banks in a tough position, without many ways to circumvent the fraud.

"What we can learn from ZeuS/ZBOT's spike in recent months is simple: old threats like ZBOT can always make a comeback because cybercriminals profit from these," wrote Yaneza.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER