The Zeus keystroke-logging Trojan has become the tool of
choice in 2009 for some very successful criminals, leading to over $100 million
in attempted losses as of October, according to the FBI. A public school
district in Pennsylvania lost $700,000 in a two-day attack, and a county
government in Kentucky lost $415,000 during a week-long attack. In the Kentucky case, the Zeus-based
attack circumvented the bank's multi-factor, out-of-band authentication and
authorization scheme. Details about the attacks may be found in the following
articles: "An Odessey of Fraud" and "The Pitfalls of Business Banking".
The Trojan enables the criminals to gain complete control of
an infected computer, which they then use to impersonate the rightful owner and
fraudulently authorize many high dollar value funds transfers, via ACH and
traditional wire methods.More information about Zeus and other malware can be found
in the following articles: "Crimeware: What I didn't know" and "Modern banker malware undermines two-factor authentication".
According to the Internet Crime Complaint Center (IC3) in an Intelligence Note released on November 3, the criminals have successfully
exploited small and medium businesses, municipal governments, and school districts.
The victimized institutions have tended to be local
community banks and credit unions, many of which use third party service
providers to process ACH transactions.According to the IC3, "FBI interviews revealed that the threat stems not
only from the malware involved in these cases, but the vulnerabilities
presented by the lack of controls at the financial institution or third-party
provider level.For instance, in
several cases banks did not have proper firewalls installed, nor antivirus
software on their servers or their desktop computers. The lack of
defense-in-depth at the smaller institution/service provider level has created
a threat to the ACH system."
The main distribution method for this Zeus Trojan has been
phishing-type e-mails and fake websites distributed and hosted by the Avalanche
criminal group.The Internet
Corporation for Assigned Names and Numbers (ICANN) has release a security advisory to all domain registrars about this attack vector.
Note: All advertised performance claims are based upon direct, real-world trials for clients and prospects against our competitors. References who can further substantiate these claims are available to qualified prospects upon request. We encourage you to compare our service performance against our peers head-to-head for yourself!