Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

ZeuS-Style Attacks Trump Phishing as Greatest Threat to Online Banking

A rapid shift in the prevalence of real-time attacks from online banking trojans, such as ZeuS, are now more common than password phishing attacks, according to PhoneFactor, a provider of phone-based multi-factor authentication solutions. Organizations lack understanding about what to do to protect against these threats according to the results of the “state of online banking security” survey released today by PhoneFactor.

A rapid shift in the prevalence of real-time attacks from online banking trojans, such as ZeuS, are now more common than password phishing attacks, according to PhoneFactor, a provider of phone-based multi-factor authentication solutions. Organizations lack understanding about what to do to protect against these threats according to the results of the “state of online banking security” survey released today by PhoneFactor.

Zeus, also commonly known as Zbot, is the most prevalent malware platform for online fraud, and has been licensed by numerous criminal organizations. Zeus infects PCs, usually without users knowing or causing any other “noticeable” harm. Zeus is well-engineered and constantly upgraded by cybercriminal development teams, and includes mobile versions and customized variants targeting specific brands and government sites.

Zeus Banking Screenshot

The survey, conducted in November 2010, included responses from financial services professionals at more than 70 banks. Key findings in PhoneFactor’s study include:

• Real-time attacks from online banking trojans (ZeuS, Clampi, etc), also referred to as Man-In-The-Middle attacks, are seen as the greatest threat to online banking today for more than half (51%) of survey respondents, and 69% indicated an increase in the frequency of these attacks over the last 12 months. In fact, 37% of respondents reported that online banking trojans are the most prevalent type of attack at their bank.

• Password phishing and pharming were a distant second with 24% of respondents believing password attacks to be the greatest threat to online banking. These attacks, however, continue to rage on. 55% of respondents indicated an increased frequency of these attacks over the last 12 months.

• Online ACH and wire transfers were seen as being most vulnerable to attack with nearly one in three respondents rating these types of transactions as either “extremely” or “very” vulnerable.

• There is still widespread misunderstanding about whether current security measures, such as one-time-passcodes, protect against today’s top threats. Only 37% of respondents recognize that one-time-passcodes do not protect against ZeuS. Of those who recognize the weakness of these methods, 79% are either using today or plan to use next generation methods, such as out-of-band phone calls, transaction verification, and biometrics to protect against ZeuS.

“Password phishing attacks have plagued online banking for nearly a decade, but have been outpaced in the last year by a surge in real-time attacks from the likes of ZeuS, Clampi, and SpyEye, among countless other malware variants,” said Steve Dispensa, Chief Technology Officer at PhoneFactor. “Banks are implementing a number of measures to strengthen the security of their online banking platforms, which is unquestionably good. Unfortunately, many don’t understand the vulnerability of methods like one-time-passcodes, which these attacks easily circumvent. As banks become more educated, we expect them to move even more quickly toward methods like out-of-band authentication and transaction verification to protect against these threats.”

Advertisement. Scroll to continue reading.

With “Out of Band Authentication,” when a customer wants to make a transaction, a text message or phone call is sent to the mobile phone number the bank has on file. The customer is given through the phone a “TAN” or one-time password that must be provided on the website in order to complete the transaction. This method has proven to be quite challenging for fraudsters to overcome, but like always, cybercriminals still find ways around it.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.