ZeuS: PC Invader Costs Kentucky County $415,000

[Paul Ferguson <fergdawgster () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Via Security Fix:

"Cyber criminals based in Ukraine stole $415,000 from the coffers of
Bullitt County, Kentucky this week. The crooks were aided by more than two
dozen co-conspirators in the United States, as well as a strain of
malicious software capable of defeating online security measures put in
place by many banks.

Bullitt County Attorney Walt Sholar said the trouble began on June 22, when
someone started making unauthorized wire transfers of $10,000 or less from
the county's payroll to accounts belonging to at least 25 individuals
around the country (some individuals received multiple payments). On June
29, the county's bank realized something was wrong, and began requesting
that the banks receiving those transfers start reversing them, Sholar said.

"Our bank told us they would know by Thursday how many of those
transactions would be able to be reversed," Sholar said. "They told us they
thought we would get some of the money back, they just weren't sure how
much."

Sholar said the unauthorized transfers appear to have been driven by "some
kind computer virus." Security Fix has been communicating with a cyber
crime investigator who is familiar with the case. What follows is a
description of the malicious software used, a blow-by-blow account of how
the attackers worked the heist, as well interviews with a couple of women
hired to receive the stolen funds and forward the money on to fraudsters in
Ukraine. This case also serves as an example of how e-mail scams can be
used to dupe unknowing victims in serving as accomplices in their plan.

According to my source, who asked not to be identified because he's still
investigating different sides of this case, the criminals stole the money
using a custom variant of a keystroke logging Trojan known as "Zeus"
(a.k.a. "Zbot") that included two new features. The first is that stolen
credentials are sent immediately via instant message to the attackers. But
the second, more interesting feature of this malware, the investigator
said, is that it creates a direct connection between the infected Microsoft
Windows system and the attackers, allowing the bad guys to log in to the
victim's bank account using the victim's own Internet connection."

Much more:
http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_pa
rt_ii.html

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFKTVorq1pz9mNUZTMRAnY1AJ9eEs6jLeolAlfV9+rTh5kY9Yj3YgCeLXhZ
eY+6aDMc8BMm1IEVdKh4wXg=
=Fs5b
-----END PGP SIGNATURE-----




-- 
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawgster(at)gmail.com
 ferg's tech blog: http://fergdawg.blogspot.com/
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.