Amit Klein, Trusteer: Zeus Adds Investment Fraud to its Bag of Tricks
April 2011 by Amit Klein, Trusteer’s CTO
Trusteer have recently discovered and investigated a very interesting new Zeus configuration sample that uses credible looking banner advertisements on major web sites to offer high rate of return investment opportunities. This attack is targeting some of the world’s leading and most trusted websites including: AOL, Amazon, Apple, CNN, Citibank, Forbes, ESPN, and many more. Adding investment fraud to its bag of tricks is a new twist for Zeus.
According to Amit Klein, Trusteer’s CTO, these attacks have only one purpose – to lure users into investing their money through a very convincing and professional looking website, https://ursinvestment.com, which is a fraud. We traced several examples of this configuration file to attacks on leading websites.
In one case, the Zeus mechanism embeds banners on the targeted websites which redirect to https://ursinvestment.com. We were surprised to see how well integrated the banner designs were with the attacked websites. Here are some examples of banners that appeared on Google and Bing pages.
Amit Klein, commented, “In a very sophisticated attack against Forbes.com, the cybercriminals inject a very compelling overview of the fictitious URS Investment Fund. They offer wealthy individuals the opportunity to achieve extremely high rates of return through a ‘prestigious’ investment program. The content developed for this attack establishes a new standard of credibility by fraudsters.”
Here is the text embedded by the Zeus injection code on the attacked pages at Forbes.com:
In a similar attack against the Yahoo Finance pages, the fraudsters actually claim that URS has established a partnership with Yahoo. In this scam, the criminals lowered the investment minimum to $1000. Here is the text added by the Zeus injection mechanism on "Banking & Budgeting" page of Yahoo.
Next we examined https://ursinvestment.com .
Like the injected code, the website is professionally designed and user friendly with a simple registration process. It asks the user to enter login and password details. However, it does not allow the user to recover his/her account credentials.
Upon registration, users are prompted to upload funds though a Bank Wire Transfer or using Western Union. Next, users are asked to choose an investment program. Three options are presented in significant detail for minimum investments of $1000, $5000, and $10,000. These include investment schedules, interest rate of return, and lump sum profits. Below is a screen we captured that promises 7%, 11.3%, 16% and even 32% rates of return.
Meanwhile, the "Our Partners" tab on the website lists companies that have been found in the Zeus configuration file including AOL, Amazon, Apple, CNN, Citibank, Forbes, ESPN, and others. We also found a Forbes logo on the Home page of the site. The links leading to the websites of the listed companies (dubbed "You can read more details on their websites") lead back to the pages attacked by this configuration of Zeus. The Zeus infected users that follow these links are presented with the same ’fake’ information about their partnership with URS.
We also checked WHOIS for information on ursinvestment.com and found that records only start on 03/11/2011. However, according to the website, the URS company has existed since 1995 and is based in the US. We did not find any company behind this website. https://ursinvestment.com has a valid SSL certificate, which was issued on March 20, 2011. A Google cache of the website from March 26, 2010 points to the default Apache website, which is empty. The website is hosted on an IP address (188.8.131.52) that originates from Germany. Huan-jun-net, an unknown network, is responsible for hosting the website. Full details on the IP address can be found here.
This new attack is noteworthy for the level of sophistication and depth and breadth of content that the criminals have developed to make the scam appear legitimate and believable. Unlike many Zeus attacks, this is less about the attack code and all about selling the fraud scheme. With attack code already developed to the point where it can convincingly mimic real websites and trusted brands, it appears criminal groups are bulking up investments in marketing communications to make their scams harder to differentiate from legitimate business offers presented to web users. Without the ability for average web users to “spot” fraudulent offers, e-commerce may be threatened. As result, technology that secures web sessions and transactions must fill the void.