What is Malware?
Financial malware (including Zeus, SpyEye, and others) targets access to financial institutions. They are highly customizable malware development platforms that criminals purchase and use for their own needs. This means that each instance of released malware is likely to be significantly different from any other, which increases its ability to avoid detection from antivirus and antimalware products. Most people with infected PCs have no idea that the PCs are infected, even with up-to-date antivirus software. This malware also usually comes with a list or database of financial institution websites that it silently monitors for in your web browser. When the website is accessed, it can redirect to a malicious site under the criminal’s control or inject additional content or fields into the page of the real website. Since it has control of your PC and web browser and acts after you have logged on to a real Internet Banking site, security indicators you would normally check for, such as the website address or secure connection symbols, aren’t helpful.
Zeus is Manipulating Your Browser
As an example, we have seen PCs compromised by Zeus variants behave as follows:
After you successfully sign on to Internet Banking (and after supplying your credentials and correctly answering your security questions) instead of seeing the normal page, a page like the one pictured below is displayed. You are asked for your card information, including PIN, Security Code, and expiration date (which NO financial institution should ever ask you for!) and when you click on the “Continue” button you are redirected to the original signon page again. At this point, if this has happened to you then your card information is compromised and you should contact the issuing financial institution immediately.
The behavior of financial malware can be completely different across variants, including displaying a real website page but adding in some additional question fields or other information. Any time you feel that something isn’t right (for example being asked for your card’s PIN or expiration date) you should immediately stop entering information and follow up with your financial institution.
Finally, it is important to understand that this malware is running on your PC. The financial institution’s system is not compromised and your access will probably appear normal. The activity and the redirection occur on the PC. Zeus financial malware is widespread and targets all types of financial institutions.
Additional notes: Financial malware may only target one or a couple of popular browsers. It may be beneficial to have multiple browsers installed on your system. If you see something strange like a prompt for your credit card number, close the browser and try another. If it doesn’t appear in the other browser it is likely that there is malware on your system. Popular browsers include Internet Explorer, Firefox, Chrome, Safari, and Opera, and there are additional lesser-known browsers as well.
What to Do If You Think You Are Infected With Financial Malware
Contact each financial institution that you accessed on the infected PC. Change your passwords and ask if any of your account information has been changed (such as address or phone number.) If you provided credit or debit card information, report the card as compromised to have it blocked and a new card issued. Do not use your PC for financial transactions until it has been cleaned. Follow up with your anti-virus vendor or PC service vendor for the best methods of getting your system cleaned.
As always, it is a good idea to frequently monitor your account activities.