Criminals who use the Zeus banking crimeware may be working on an new angle: corporate espionage.
That’s what worries Gary Warner, director of research in computer forensics with the University of Alabama at Birmingham, who has been closely monitoring the various criminal groups that use Zeus. Zeus typically steals online banking credentials and then uses that information to move money out of Internet accounts. In the past year, however, Warner has seen some Zeus hackers also try to figure out what companies their victims work for.
In some cases, the criminals will pop up a fake online bank login screen that asks the victim for a phone number and the name of his employer. In online forums, he’s seen hackers speculate about how they might be able to sell access to computers associated with certain companies or government agencies.
“They want to know where you work,” he said. “Your computer may be worth exploring more deeply because it may provide a gateway to the organization.”
That’s worries some because Zeus could be a very powerful tool for stealing corporate secrets. It lets the criminals remotely control their victims’ computers, scanning files and logging passwords and keystrokes. With Zeus, hackers can even tunnel through their victim’s computer to break into corporate systems.
There are other reasons why Zeus’s creators might want to know where you work, however. They could simply be trying to figure out whose data is the most valuable, said Paul Ferguson, a security researcher with Trend Micro. “A welding business might make more money, than say, a Girl Scout troop,” he said via instant message.
Still, Ferguson believes that the crooks could make money by selling access to computers belonging to employees of certain companies. “I haven’t personally seen that, but these guys are pretty devious.”
This type of targeted corporate espionage has become a big problem in recent years, and many companies, including Google and Intel, have been hit with this type of attack.
Police arrested more than 100 alleged members of a Zeus gang last week, but that doesn’t put an end to the problem. Zeus is widely sold for criminal use, and security experts say that there are dozens of other Zeus gangs out there. The group responsible for last year’s Kneber worm outbreak is thought to be the largest Zeus outfit still in operation.
If Zeus operators really do start promoting their crimeware as corporate back-doors — and Warner believes this is already happening — that could mean new problems for corporate IT.
The biggest issue would be for home computers and laptops that are outside of corporate firewalls that still have access to company data via the Internet. Those systems could suddenly become a risk for IT staffers, Warner said.
Inside the firewall, a computer that suddenly starts sending data to Russia should be noticed right away. That might not be the case on a home network. “If you are an employee of a place that gives you access to sensitive data, your company needs to care if you have a malware infection at home,” Warner said.
The problem could be solved by either not letting people work from their home PCs or by providing workers with computers that can only be used for work, Warner said.