Zeus Goes Social
By John Jaser,
Internet Services Manager
Before PCs and the Internet, Zeus was an
ancient Greek ‘father’ god who wielded a
mean lightning bolt and settled divine
disputes. Today, Zeus is a pervasive
botnet, reportedly infecting 3.6 million
computers in the U.S. and actively
looking for more.
Modern Zeus attacked in July using email
advertisements for Internet postcards.
Victims clicked on the emailed link to
view the desired postcard and pow! Zeus
installed malware that wakes up whenever
the victim visits a bank, e-mail and
other sensitive online accounts.
A few months later, Zeus shifted to the
tactic of emailing fake warnings from
the FDIC. Victims were asked to check
their deposit insurance coverage by
clicking on the emailed link. If they
believed what they read, they clicked
and were infected with the Zeus virus.
When several banks and the FDIC sent out
warnings about this Zeus tactic, we
heard that Zeus opened a new front on
Facebook, pumping out 30,000 Facebook
phishing messages per minute.
The Facebook email informs
users that the company is updating their log-in
system to increase security. To complete the
process, each user needs to click on the update
button in the email. Doesn’t that make perfect
Never mind that most companies update their
online products without user participation. But
that’s just one of the obvious miscues. Victims
were asked to log in for the security update.
Once they did, they downloaded an ‘update tool’
which installed the Zeus virus.
The aim in all this is to create an army of
remote-controlled computers with access to bank
accounts. It’s really self-funded crimeware,
millions of computers strong and growing more
potent with every forged click of the mouse.
Who’s feeding these criminals? Children who want
to help Mom and Dad. Young adults who want to
stay in touch with dates and friends. Parents
who want to check on their kids. Businesses that
want to tap the popular social networking
market. Entertainers who want to sell more
tickets to their shows.
This takes us to the crux of the Internet
security problem. Something cool emerges on
email or Facebook or Twitter. Consumers rush to
participate. Businesses scramble to catch up.
And security people shake their heads at the
pile of best practices abandoned by people out
for a good time.
Criminals have always known that consumers work
this way. That’s why we find criminals in
tourist spots and new venues, like social
networks on the Internet.
The question for security-minded bankers is: are
we doomed to repeat the cycle of new technology,
new crime, new warnings, new jailbirds? Or will
consumers tolerate a clamp down on all new
technology until the security can be worked out?
We suspect the answer to the first question and
know the answer to the second. By the time
security is ready, we fear that the ‘cool’ cycle
will have moved on. But if the criminals reach
deep enough into a broad enough cross-section of
pockets, the next cool thing might include
security in its coolness. That might be enough
to break a few of these crime cycles.
In the meanwhile, banks need to continue
teaching their customers to stay away from
phishing emails and messages. If the term ‘your
account’ appears anywhere in the message, tell
your customers not to click. As a matter of
fact, they shouldn’t click any emailed links
that haven’t been verified by a web-filtering
If you have been cautioning your customers, they
are most likely thanking you for your warnings
by this point. Keep it up, and your customers
will view your bank as the ancient Zeus,
wielding a just lightning bolt and settling