Before PCs and the Internet, Zeus was an ancient Greek “father” god who wielded a mean lightning bolt and settled divine disputes. Today, Zeus is a pervasive botnet, reportedly infecting 3.6 million computers in the U.S. and actively looking for more.
Modern Zeus attacked in July using email advertisements for Internet postcards. Victims clicked on the emailed link to view the desired postcard and pow! Zeus installed malware that wakes up whenever the victim visits a bank, e-mail and other sensitive online accounts.
A few months later, Zeus shifted to the tactic of emailing fake warnings from the FDIC. Victims were asked to check their deposit insurance coverage by clicking on the emailed link. If they believed what they read, they clicked and were infected with the Zeus virus.
When several banks and the FDIC sent out warnings about this Zeus tactic, we heard that Zeus opened a new front on Facebook, pumping out 30,000 Facebook phishing messages per minute.
The Facebook email informs users that the company is updating their log-in system to increase security. To complete the process, each user needs to click on the update button in the email. Doesn’t that make perfect sense?
Never mind that most companies update their online products without user participation. But that’s just one of the obvious miscues. Victims were asked to log in for the security update. Once they did, they downloaded an ‘update tool’ which installed the Zeus virus.
The aim in all this is to create an army of remote-controlled computers with access to bank accounts. It’s really self-funded crimeware, millions of computers strong and growing more potent with every forged click of the mouse.
Who’s feeding these criminals? Children who want to help Mom and Dad. Young adults who want to stay in touch with dates and friends. Parents who want to check on their kids. Businesses that want to tap the popular social networking market. Entertainers who want to sell more tickets to their shows.
This takes us to the crux of the Internet security problem. Something cool emerges on email or Facebook or Twitter. Consumers rush to participate. Businesses scramble to catch up. And security people shake their heads at the pile of best practices abandoned by people out for a good time.
Criminals have always known that consumers work this way. That’s why we find criminals in tourist spots and new venues, like social networks on the Internet.
The question for security-minded bankers is: are we doomed to repeat the cycle of new technology, new crime, new warnings, new jailbirds? Or will consumers tolerate a clamp down on all new technology until the security can be worked out?
We suspect the answer to the first question and know the answer to the second. By the time security is ready, we fear that the “cool” cycle will have moved on. But if the criminals reach deep enough into a broad enough cross-section of pockets, the next cool thing might include security in its coolness. That might be enough to break a few of these crime cycles.
In the meantime, banks need to continue teaching their customers to stay away from phishing emails and messages. If the term “your account” appears anywhere in the message, tell your customers not to click. As a matter of fact, they shouldn’t click any emailed links that haven’t been verified by a web-filtering system.
If you have been cautioning your customers, they are most likely thanking you for your warnings by this point. Keep it up, and your customers will view your bank as the ancient Zeus, wielding a just lightning bolt and settling divine disputes.