Recent Zeus malware configurations are targeting Citrix VPN gateways, according to security software company Trusteer. The latest instances of Zeus are configured to capture login credentials from Citrix users. Amit Klein, CTO and head of research at Trusteer, spoke with us about the new malware behavior and what banks can do about it.
"Zeus is definitely the most prevalent html injection malware out there," Klein says. "We've seen Zeus botnets target hundreds of thousands of computers." He notes that Zeus software is licensed for multiple fraud rings and that there's an entire market based around selling Zeus modules and extensions, software and services. "Zeus is feature-rich malware, it enables you to do whatever you like. It has good configuration options compared to other malware, it's very sophisticated, and it has many features you don't see in other kinds of fraud. It's like a Cadillac versus a low-end car."
Banks that use Citrix for employee and branch access are particularly vulnerable to the latest strains of Zeus, in which the malware is instructed to capture a screenshot of the text within the mouse's vicinity when the left button is clicked and when "citrix" appears in the browser address bar. The malware is trying to capture login credentials from users of the Citrix Access Gateway, an SSL VPN solution businesses use to provide remote access to applications and data in their networks. Once inside this gateway, criminals could potentially access any data in the organization, Klein says.
What best practices should banks deploy to deflect such attacks? They should limit VPN access to specific applications and users, keep malware up to date (especially on remote devices), use a secure browsing service to protect VPN connections, and educate employees about security. Although efforts to educate consumers about computer security threats have not been a big success, Klein acknowledges, in the corporate world employees have more reason to comply.
Home users are probably more vulnerable to botnets than in-office computers, "but the corporate network is not watertight, especially if employees are allowed to browse the internet," Klein says. "You do get hit by drive-by downloads and get infected."
Still, Klein does not see this as the biggest security threat banks face: "If I were in charge of a bank IT department, I would be worried about online banking in the consumer world, that's the worst threat," he says. Mobile banking fits in this category. "To be sure, criminals follow the money, and where there's money to be had or stolen, they'll be there," he says.