Tuesday, August 17, 2010 Edition #572

Return to GCFBank.com Home Page



Today’s Highlights:
1st Flash: ANATOMY OF A TROJAN
2nd Flash:  DISTRIBUTION AND PREVENTION


Weekly Spotlight:

Are you 55+ and enjoying the golden years? If so, you are eligible to take advantage of GCF’s Golden VIP checking account. No monthly service charge, free basic checks for the first year, free Online Banking including WebPay, free money orders, free Traveler’s Checks, free SafeLink, 10 percent discount on a GCF safe deposit box and more! Click for more details on GCF’s Golden VIP Club! PROGRAM CLOSED AS OF OCTOBER 1, 2011

Our Current Rates:

For a listing of our current deposit and loan rates, visit www.gcfbank.com/rates.aspx.

1st Flash
ANATOMY OF A TROJAN

It's been quite a few years since I've written a GCFlash piece on a specific threat. Hundreds of new ones were reported daily, all with similar characteristics and methods of prevention. Early threats were merely pranks pulled by smart kids. They became routine. Little harm was done outside of having to cleanup and rebuild your hard drive, which we thought was troublesome at the time.

Until now. The ZeuS Trojan is so sophisticated and so elusive that even Internet security experts are scrambling to stop it.

Crimeware is a sophisticated tool used by global organized crime rings. It robs you of your identity. It doesn't stop at applying for credit in your name, it steals your life savings and displays a fake statement so you don't realize your account has been emptied.

The ZeuS Trojan has several aliases. It's also known as Zbot, PRG, Wsnpoem, Gorhax and Kneber. It's spread through a variety of methods that we'll explore in the following article. But no matter the distribution channel, the purpose is the same. It targets banking information by keystroke logging.

ZeuS was first discovered in July 2007 when it was used to steal information from the U.S. Department of Transportation. It became more widespread in June 2009 when it was discovered to have compromised over 74,000 FTP accounts on websites of major companies.

Bank of America, NASA, Monster, Oracle, Cisco, Amazon and Business Week were just a few of those affected. A survey released in April 2010 reported that 88 percent of Fortune 500 companies were infected by ZeuS to some extent. Even if that number is somewhat inflated, it still spells trouble.

ZeuS Trojan controlled machines have been detected in 196 countries, with the highest incidence reported in Great Britain, the United States, Mexico, Saudi Arabia and Turkey. An estimated 3.6 million PCs are said to be infected in the U.S. alone.

Criminals don't have to look far to gain access to the Trojan. A toolkit is readily available online in underground forums for prices ranging from $700 up to $4,000. A builder kit allows the crook to customize to their own purpose, and generates a bot executable along with Web server files to act as the command and control server.

The current version even uses copy protection mechanisms similar to Windows operating systems that protect against the use of unlicensed pirated copies. The malware creates a type of fingerprint of the hardware configuration when it's first started. The vendor then provides a personal license key for the unique configuration.

Once a system becomes infected, the Trojan remains dormant until the user visits a targeted list of banks or financial institutions. It waits until the victim tries to establish an online banking session and uses various ploys to steal login credentials.

It checks to see if the account holds enough cash, then transfers money to a "mule" account. These are legitimate bank accounts held by real customers. They could be cohorts of the villain who agree to receive the funds and then pass on to someone else after taking a cut.

Or they could be innocent victims themselves, believing they found a work-at-home opportunity. They could have responded to pleas from someone in Nigeria who needed access to U.S. funds, or acting on a response from a classified sale ad they placed. In all cases, the victim was sent funds in excess of the legitimate value and told to refund the difference. They unknowingly became mules, laundering illegal money.

By the time the scam is discovered and investigated, the criminal is long gone.

Security software McAfee reports that production of this type of malware reached a new high in the first six months of 2010, with 10 million new pieces of malicious code being catalogued in that time.

This new breed of attacks was designed to circumvent the multi- factor authentication banks now use to verify customer credentials. It intercepts the browser's web page request, hijacks the intended destination and modifies the page to hide the malicious page transparently in the background. The page the user is seeing is not something the actual server sent.

The server may not be seeing what the user sent either. The malware can modify the transaction details, actually sending the funds intended to pay your bills to a mule account instead of your creditor. It then inserts its own html code into your transaction confirmation to display your intended recipient rather than the true destination. You believe your payment or transfer has been completed properly, the bank believes it has honored your legitimate request.

Are you frightened yet? If not, you should be. The ZeuS Trojan is merely one example of this new breed of crimeware. Others in the same category are URL Zone, Bzub and Torpig, all distributed through readily available online toolkits.

While no incidences have yet been reported, it's only a matter of time before SpyEye dethrones ZeuS as King of Crimeware.

To learn how ZeuS is distributed and how to avoid becoming a victim, read on...

2nd Flash
DISTRIBUTION AND PREVENTION

Trojans differ from viruses in that they are not self-replicating. They will not scour your address book and send themselves to all of your contacts. They are spread manually, hiding inside websites, emails, images or downloads with the premise of offering a benefit to the intended victim.

Since ZeuS is sold as a customizable toolkit, each criminal using it will deliver the crimeware in their own fashion.

You might think twice about looking for free software. While the majority of freeware is legitimate, do some research before downloading a new utility. You'll often find malware downloaded along with your freebie. This holds true with screensavers as well.

ZeuS has targeted social networks as well as the banking industry. It has stolen login credentials on Facebook, Yahoo, Hi5, and other sites where personal information is easily accessible. See our May 18, 2010 issue of GCFlash for examples of how this Trojan infiltrates Facebook accounts.

In 2009, ZeuS was spread through phishing emails appearing to come from Verizon Wireless. It's believed nine million of these emails were sent. It also sent out over 1.5 million phishing messages on Facebook.

Adobe .pdf files are being increasingly used to deliver malware. Growth in this type of delivery has been staggering. It accounted for 11 percent of known attacks in 2008. By 2009, that number had reached 49 percent.

The .pdf attacks do not exploit a software vulnerability. Rather, they are based on Adobe's design function. The victim is prompted to download and open a document named Royal_mail_delivery_notice-dot- pdf. The malware is hidden in this download.

Our July 6, 2010 edition of GCFlash explained how cyberthieves are hiding their crimeware inside of display ads on legitimate websites. This ploy was used to empty the bank accounts of over 3,000 people in Great Britain. It was detected, coincidentally, the same date our article was published and still progressing. Read the full article.

Most recently, ZeuS has been displaying fake enrollment screens for the "Verified By VISA" or "MasterCard SecureCode Security" programs on machines it infects. Once the victim logs into their bank, they're presented with a notice that new regulations require them to enroll in Verified By Visa or SecureCode. The Trojan then goes on to capture the personal information they enter on the fake enrollment screen.

The Zeus Trojan targets machines using Windows XP with Service Pack 2 (SP2) or earlier versions of the operating system. Those who enable automatic updates are protected.

The same holds true with whichever browser you use and other software, especially your anti-virus and Adobe products. They are only targets because of their popularity, not because they are particularly vulnerable to threats.

Configure your firewall to its highest level. For more on firewalls, read an archived version of our May 5, 2010 edition from the Security Articles page.

Don't open junk emails, not even out of curiosity. And if a message from someone you know seems strange to you, delete it immediately. They may have become a victim.

The major anti-virus vendors all protect against the ZeuS Trojan. But you must keep your dat files updated for the best protection. These, too, should be set to automatically update when new releases become available.

If you think your computer may be infected with the ZeuS Trojan, contact your financial institution immediately to prevent unauthorized transactions.

Clean your computer thoroughly using your virus scan program. But before you do, disable your System Restore. The malicious file may be stored there as a backup file.

You've heard all of this advice before. But if this threat doesn't scare you into taking it seriously, nothing will.

Prevention is in your hands with the tools readily available through security programs you should already have installed on your system. The good guys are still one step ahead of the villains. For now. Let's hope it stays that way.

Financial News

Small Business will lead the recovery according to President Obama. A bill pending in Congress would create a $30 billion small-business lending fund, add tax breaks and expand loan guarantees from the Small Business Administration.

With unemployment stuck at 9.5 percent and job growth shaky, supporting "small business" has become the focus for both parties. Republicans continue to list the hardships added taxes will have on small business in areas such as expanding health care, tightening financial regulations or raising taxes on the rich.

According to the Bureau of Labor Statistics, larger companies provide the most jobs. About 43 percent of the jobs are from corporations with more than 500 workers, with another 24 percent from firms with 20 to 500 workers. Small businesses, or companies with less than 250 workers, provide almost half of all private-sectors jobs. About 38 percent of all workers are in companies with fewer than 100 employees.

In a July survey by the National Small Business Association, 41 percent of companies said they couldn't raise as much money as needed, the highest in 17 years. So, if the aide flows through to small businesses, this could well be a strong stimulus to the economy and a resulting boost to employment!

Today’s Market Rates
Tuesday, August 17, 2010
Dow Jones Industrial Average
(Down 22.20 or 0.21% since 12/31/09)
10,405.85 (+1.01%)
S&P 500
(Down 22.56 or 2.02% since 12/31/09)
1,092.54 (+1.22%)
Nasdaq
(Down 59.71 or 2.63% since 12/31/09)
2,209.44 (+1.26%)
10 Year Treasury Bond Yield 2.645%  
British Sterling 1.5583  
Euro 1.2881  
On The World Wide Web

The CERT® Coordination Center (CERT/CC) is a center of Internet security expertise. This renown federally funded research and development center is operated by Carnegie Mellon University. They offer a complete list of antivirus software vendors on their Web site.

Before investing, check out the validity of that offer. Quatloos.com is a public educational website maintained by Financial and Tax Fraud Education Associates, Inc. Visit their Cyber-Museum of Scams and Frauds.

Auto racing is a dangerous sport for all participants; the driver, crew and spectators alike. Tragedy struck this past weekend when eight spectators were killed during an off-road race in California. Support the victim's families by donating here. Even the smallest amounts can add up.

Tip of the Week

Looking for something you once saw on a website without its own search function? It's easy to conduct a site specific search on Google. In the search box, start by typing "site:www.sitename.com." Enter a space and enclose your search criteria in double quotation marks.

Example: In looking for an article on firewall configuration you read in GCFlash, enter search criteria as site:www.gcfbank.com "firewall".

Quotable

"Control your own destiny or someone else will." - Jack Welch

Today in History

1896 - Prospectors discovered gold in Alaska, sparking the Klondike gold rush.

Flash Fact

Only about 161,000 metric tons of gold have been mined in all of human history.

Have a comment about something you read in GCFlash? Suggestions for future articles? Drop us an email!
PURPOSE: GCFlash is a weekly e-mail sent only to its listed customers and associates free of charge. GCFlash informs customers of special product offerings which may be of interest, current interest rates on both deposit and loan products, selected financial news and other financial tidbits. GCFlash is intended to supplement the more comprehensive information listed on the GCF Web site at http://www.gcfbank.com.

For more comprehensive information, visit our Web site at http://www.gcfbank.com or call (856) 589-6600 Ext: 337 (Timothy P. Hand)


GCFLASH PRIVACY STATEMENT

For a copy of our Privacy Policy, visit www.gcfbank.com/gcflash_privacy.asp

GCF maintains your e-mail address in a confidential and secure database along with much of your other account information, such as mailing address and telephone number, etc. Before aggregating our e- mailing list each week, we filter out any duplicates. In most cases, this inhibits the unintended e-mailing of multiple copies of GCFlash to a single e-mail address. However, because these account records are kept by both individual and account, there is a chance members of the same household could each receive a copy of GCFlash or any other transmission at the same e-mail address - resulting in multiple copies. For example, a husband and wife that both have accounts with GCF may both receive a copy because the names are different but listed at the same e-mail address. This is similar to the manner in which each individual may share a common telephone number. To handle this situation, GCF recommends you simply delete any extra copies of GCFlash as this will ensure that ALL individuals receive any future promotional mailings, which might only be targeted or offered to specific accountholders meeting certain criteria. GCF has the capability to suppress customer e-mail addresses so they are omitted from our transmission list. If you would rather have a specific household member’s e-mail address suppressed in our electronic database, simply send us a reply, as stated below, and indicate the accountholder for which you would like to have e-mail suppressed. Please keep in mind that this suppression will mean that NO future e- mails are sent, including special promotional offers. If you have any questions about this process or need additional information, please contact us at netaccess@gcfbank.com.

If you would like to be removed from this electronic mailing list, please hit reply and place the word REMOVE in the subject line. Please note, removing your name from our electronic mailing list means GCF will send NO FUTURE NEWS or SPECIAL OFFERS.


GCF Bank
381 Egg Harbor Road
Sewell, NJ 08080
(856) 589-6600
www.gcfbank.com