Zeus 3 attack steals £675,000 from UK bank


Hackers have hit a UK bank with a Zeus version 3 Trojan, compromising around 3,000 customer accounts and taking 675,000 between 5 July and 6 August.

They combined the Zeus malware with exploit toolkits to remain undetected by anti-fraud systems, M86 Security Labs has discovered.

Once the victim's system had been infected and they entered their online banking service, Zeus v3 was able to initiate transfers from user accounts to the criminal masterminds.

Money mules were used to support the operation, as legitimate bank account holders were duped into becoming unsuspecting middlemen, helping transfer funds for the cyber criminals.

Talking about how this attack is unique, Bradley Anstis, vice president of technical strategy for M86 Security, noted it focused on only one, as yet anonymous, financial institution.

"Typically these guys are lazy and they'll go after the low hanging fruit," Anstis told IT PRO.

"The attack is still going on. We've been tracking it since about the end of July, but we can see log files back to the beginning of July so we're not exactly sure when the actual attack started."

It is likely more than 675,000 has been stolen by the hackers, Anstis said.

"You certainly don't need to go bursting through the front door of your bank with a pistol in your hand anymore," he added.

"I think banks maybe need to take their controls to a higher level."

The hackers in this case were highly sophisticated. They used a number of techniques to spread the malware, including the publishing of malicious ads on legitimate websites, or simply infecting such sites.

By using the Eleonore Exploit Kit, the cyber criminals were also able to determine what country an infected user was based in and in this case they targeted UK bankers.

As soon as victims logged into their internet banking service, the Trojan sent the login ID, date of birth and a security number back to the command and control (C&C) server, which was located somewhere in Eastern Europe.

Zeus v3 would then be sent JavaScript code to replace the original bank JavaScript, used for the transaction form.

Data placed into the form was then sent to the C&C system rather than the bank and the information was analysed to determine how much money was in the targeted account.

Once the Trojan had been told which money mule was to be used and the illicit transaction was completed, Zeus v3 continued to listen to the bank response and report back to the C&C system.

The development comes hot on the heels of a Zeus version 2 botnet being uncovered, controlling over 100,000 computers.

Tom Brewster

Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.

He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.