Governance & Risk Management , Risk Assessments
Zeus: The Global Cyber ThreatZeus Trojans Are Smart, Sophisticated and Increasingly Popular
Dave Jevans, chairman and founder of the Anti-Phishing Working Group, a non-profit organization dedicated to wiping out identity theft and fraud on the Internet, says Zeus is pushing the industry to realize the world is cbyerconnected. "Certainly, the U.S. government and other government agencies are taking online crimes far more seriously," he says. "I think people are really starting to realize that the world is cyber; it is all interconnected and it is moving very, very quickly in a bad direction."
Zeus is attacking everything from bank accounts to government networks. During this interview, Jevans shares his thoughts about:
- The role recent arrests will play in future law-enforcement efforts to stop Zeus attacks;
- What the industry is doing to fight back;
- And why the Zeus threat level will continue to grow.
Dave Jevans is chairman and founder of the Anti-Phishing Working Group, a leading non-profit organization dedicated to eradicating identity theft and fraud on the Internet. The APWG has more than 1,500 member companies and agencies worldwide. Membership is limited to banks and other financial institutions, Internet service providers, law enforcement agencies and security technology vendors. Jevans has more than 10 years of business experience in Internet security and has founded two high-tech start-ups.
Zeus: A Sophisticated Trojan
TRACY KITTEN: Zeus. It's the most threatening malware the industry has ever faced, and it's getting more sophisticated. Two recent Zeus-related arrests prove this malware is far-reaching. Recent arrests of a hacking ring in London, and global money mules who have been charged with draining U.S. bank accounts, is likely just the beginning. Now, Zeus is branching out from the online channel, and is hitting mobile devices. So, what can the industry and law enforcement expect the future to hold?
DAVE JEVANS: I am currently CEO and founder of Iron Key, and we provide secure USB flash drives, as well as secure authentication devices, to protect against Zeus and other malware. In 2003, I started and became the Chairman of the Anti-Phishing Working Group, and that is a nonprofit organization. We now have about 1,500 member companies and government agencies, and it is really composed of financial-services companies, you know, banks, payments companies, also the security industry. Most of the major computer security companies are active members in the APWG. And then, we work very closely with government agencies and law enforcement, to help really figure out what the bad guys are doing. We share information, and we run conferences all around the world, where people can get together in a closed, very trusted environment, and discuss what the latest threats are and how people are best mitigating them.
KITTEN: Zeus is quickly becoming one of the most frightening threats, really, that the United States has ever faced. Beyond the financial industry, the sophistication of Zeus poses real threats to all companies and government bodies, and brings national security into view. What is it about Zeus that makes it stand out?
JEVANS: Zeus is one of a family of new Trojans that has really been around for a number of years in emerging forms. But what has happened in the last couple of years is that the criminals have figured out that it is a lot easier to steal $500,000 from one company than it is to steal $500 from $1,000 consumers. A lot of the research and development in the criminal underground has been focused on developing this family of malicious software. Now, they have taken an interesting turn with Zeus, which is that the people writing the software have really turned it into a software business. They are not the ones doing the fraud; they sell this software to a variety of different groups of cybercriminals. So they have created this real underground economy and it is thriving, because there is a lot of money being made. The advances in the malware are just tremendous. It is moving at a very rapid pace, and they are targeting a lot of different financial institutions all around the world, all of which have different security systems. So, more and more capabilities are being added to it over time. Another really interesting thing about the Zeus malware is that it has a plug-in architecture, meaning that there are people around the world writing add-ons and modules into it that can make it more and more sophisticated to attack more and more systems; it's not just one group of people writing the code. It is probably the fastest-moving, most sophisticated piece of criminal malicious software that the world has ever seen. There are many groups working on it, and the ingenuity of it is astounding. What I think is also pretty scary about it, in addition to how quickly it is moving, and the innovation that we are seeing in this malicious software, is that it is not really just bank-specific; it can be used, for example, to gain access into corporate VPNs (virtual private networks) and sensitive government networks by getting onto a user's computer and waiting until they log into that VPN.
Zeus: Money MulesKITTEN: Two arrests have recently been made, one was in London, and another was of money mules scattered throughout the world. Are these two incidents related, and do you expect those arrests to curb or change the flow of fraud that is happening here in the U.S.?
JEVANS: There were a coordinated set of arrests in the U.K., and within 24 hours, there were a coordinated set of 60 arrests in the United States. It is no coincidence that those happened in a very coordinated fashion. Law-enforcement agencies around the world are definitely cooperating because this is a global-fraud environment. It is people all around the world collaborating to do these crimes. Now, will it change things for the bad guys? Yeah, I think taking some of the money mules out of the system will make an impact to their immediate cash flow. You know, these money mules are people that bad guys, basically, send money to out of a pilfered account, and then they move it on and out of the country; and that basically makes it very difficult to detect who the actual real fraudsters are. If you are involved in these crime gangs, you can be caught and you will go to jail. But, at the end of the day, there are thousands and thousands of these people doing this money-mule activity. In fact, there may be between 10,000 and 20,000 at one time. So, arresting 60 or 70 of them, while an important step forward, is certainly not going to materially impact the cybercriminal.
Zeus: The Global Online Crime FightKITTEN: What do the arrests tell us about the courses of action the U.S. government and law enforcement agencies throughout the world are taking to fight these types of crimes?
JEVANS: Certainly, the U.S. government and other government agencies are taking online crimes far more seriously. I think the financial fraud that we are seeing, certainly, in the United States, where they are targeting small and medium-sized companies and moving hundreds of thousands or in some cases millions of dollars at a time, definitely wakes people up to realize that this is a lot bigger than some consumers having $500 stolen out of their PayPal account. I think there is a big awakening there. I think the other thing that is happening at the same time are the Stuxnet attacks against critical infrastructure and data-control systems and nuclear reactors. I think people are really starting to realize that the world is cyber; it is all interconnected and it is moving very, very quickly in a bad direction. So there is interesting movement in the law-enforcement area. Now it is critical that financial institutions cooperate with law enforcement. Financial institutions are providing the data for these money mule accounts. They know where the money is initially being transferred, and they are providing that information, primarily to the Secret Service, and they are the ones coordinating the investigations and the arrests and working with their counterparts in other countries.
Money Mules: Building a CaseKITTEN: The fight is an international one. How can law enforcement and federal prosecutors track and charge money mules, as in the case that we have talked about earlier, when they are often scattered throughout the world?
JEVANS: This is really the challenge. Crime is happening on the Internet and it happens at the speed of light, and often typical investigative procedures and typical cross-border legal agreements really don't account for the nature of the Internet, where people can set up a server, take some passwords and then tear the server down within minutes; and, oftentimes, getting subpoenas across countries can take 30 days. So we've definitely got a challenge ahead of us as a world to really change the way that law-enforcement agencies communicate with each other. That said, I think the law-enforcement agencies in the United States, in Australia, in the United Kingdom have been working together very, very closely to try to build those relationships where they can move more quickly. We have also seen some good relationships built throughout Eastern Europe, where you can get law enforcement in Romania, for example, to coordinate arrests at the same time as arrests might be made of members of the same gang in the U.S. and in the U.K. So cooperation is definitely growing, but we've got a long way to go.
Cybercrime Fight Requires Bank InformationKITTEN: The financial industry also plays a role here, in helping law enforcement, by communicating.
JEVANS: That's right. It has to be a two-way street, where the financial institution, and frankly, large corporations that are experiencing similar kinds of attacks, need to be able to communicate with Secret Service and with the FBI and share relevant information. In fact, this is also where the security industry comes in. The security industry will work with multiple financial institutions and will have much more data than a single bank might have about an attack. They will be able to see the same account being used to move money from eight or 10 different banks. And that helps build a case so law enforcement can now say, "Hey, if we actually take action here, it's going to result in a significant case," and that means they can invest the time to do the investigation.
Tracking ZeusKITTEN: Can you explain some of the differences or nuances in the software, and when it comes to tracking some of those things, is it difficult to tie things together?
JEVANS: Zeus is really an evolving entity. It is a core strain of the malware and it's evolving quickly. There are new releases available for purchase on the Internet almost weekly. There are different companies out there creating plug-ins or adjacent tools that work with that malicious software to enhance its capabilities to target different bank-security systems, to get onto the mobile phone, to manage money mule networks. So there is this flourishing environment there. It is so different and so varied that it is hard to track. The other thing to keep in mind is it's not one gang; so there are many, many Zeus networks out there. There is Zeus, the software and there are these Zeus botnets, where somebody's got a whole group of infected computers and they are controlling them remotely. There's some tracking of that going on, and some of the security companies have been doing a great job at finding out the control servers and taking those off the Internet; however, the true criminals are very good at hiding that stuff. So we don't even really know how many servers are out there and how many millions of computers are already infected.
Zeus: The KeyloggerKITTEN: Zeus is often referred to as a keylogger, meaning it infects a PC and then tracks keystrokes, making it ideal to track bank-account information. But, the evolution of Zeus has taken some turns, with Zeus now targeting more than mere banking credentials. What other areas is Zeus targeting, and where do you see it going next?
JEVANS: The keylogging is really the most simple component of it, so that everything you type into your website -- your name, your password, that type of stuff -- it tracks and sends to a criminal in another country. But, for example, if you are using one-time-password tokens, those little devices that sometimes a bank or a company will give you that generate a little six-digit number so that you have to enter your name, your password, and whatever that device says, it can capture that information and relay it. They also have remote-view capabilities; so a very popular plug-in for Zeus in the criminal underground is one that allows them to see actually on your screen what you are doing when you log into a website that they want to break into. For example, they might set it up so that if you are logging into your bank, or even your corporate VPN, it sends a message out to the criminal, and they can then turn on remote-viewing and see what you are doing and how much money you have in your account, or what kind of systems you might have access to, if you are logging into a VPN. They can control remotely your keyboard and mouse; so if you go out to lunch and you are left logged in, they can actually go and login and control things as if they were you. They can generate transactions -- the list goes on and on about the amazing capabilities that this thing is evolving to do.
Zeus and Mobile BankingKITTEN: A few incidents of Zeus attacks on mobile devices have been discovered. How is the industry combating these attacks?
JEVANS: Well, this is a very new and emerging area of mobile malware. It is really a very scary new evolution. I think we are going to see a lot, lot more of it. Companies in the security industry are only just beginning to create products that have any sort of real security capabilities on many of the mobile-phone platforms. As you know, platforms like Android are very open, and you can install hundreds of thousands of different applications and there is no central authority to check whether they are legitimate. What we are seeing now is if the bank, for example, sends an SMS message to your phone, which you use to help authenticate the online service, there is this malware now where they will actually send you a message saying, "Click here to send this bank security certificate to your phone," but it's not a certificate; it's really an app that is being installed and it's redirecting all your SMS messages to the criminals. So that is a very, very interesting, targeted piece of malicious software that is tied into the Zeus systems but probably developed by some other person, not the core Zeus people. I think that security on mobile phones is just in its infancy and the bad guys are figuring out that, "Hey, there's some real opportunity on the phone." And I think the other thing you have to worry about is that in some of the major banks, up to 30 percent of their online users use mobile phones to access their online-banking systems. So it is pretty clear that what we are going to see is probably a wave of innovation by the criminals to create more and more malicious software or fake software, or some form of phone phishing scams that will be targeted against users of mobile devices.
Zeus, Mobile and The FutureKITTEN: Could you give us some insight regarding the direction you see the industry and consumer groups taking as we move forward, whether it be combating some of these challenges that we are seeing on the mobile devices, or whether it just be combating some of these malware attacks overall?
JEVANS: Well, the security industry is definitely taking the evolution of Zeus and related malware very seriously. We are seeing a new wave of technology in companies that are emerging to help detect and defend against it. There are really two areas of innovation in the security industry. One is on the back-end systems, on the Web servers themselves or in the transaction systems, to detect anomalous behavior. And there is also innovation at the trusted endpoint; basically software and hardware authentication products and virtualization products that will create more of a trusted environment on a person's computer to isolate them, even if they are infected with malicious software like Zeus. Those are the two areas of innovation we are seeing in the industry. As far as consumer groups and sort of industry affiliations go, the Anti-Phishing Working Group and others are really starting to help people collaborate around these issues and share information. I think it is a great thing that industries are starting to come together to talk about how we can communicate a clear, simple security message to the consumer.