Zeus Malware Enables Fraudulent CNP Transactions

July 22, 2010

Trusteer, a New York City-based provider of secure browsing services, said last week that financial malware known as the Zeus Trojan, first identified in 2007, is targeting online banking customers of 15 major U.S. financial institutions by mimicking Visa and MasterCard online security tools. When users whose computer is infected with the malware engage in an online banking session, the Zeus Trojan injects into the browser a facsimile of the Verified by Visa or MasterCard SecureCode enrollment screen. It then prompts users to enter their social security number, credit or debit card number, expiration date, and PIN or CSV code. The information gathered by Zeus is then used to make fraudulent Card Not Present transactions with retailers that employ Verified by Visa and MasterCard SecureCode protection. “While some users may become suspicious when prompted to enter their credit or debit card information as part of the online banking login process, this attack uses the familiar Visa and MasterCard online fraud prevention programs to make the request appear legitimate,” said Amit Klein, CTO of Trusteer and head of the company’s research organization. Zeus, which is also known as Zbot, WSNPOEM, NTOS and PRG, is the most prevalent banking malware platform for online fraud, affecting one in every 100 computers, according to Trusteer research. The company declined to name the financial institutions whose customers were most at risk from the Zeus malware.