ZeuS Source Code Leaked

Most people that have been involved in a data breach involving the theft of banking information are probably aware of ZeuS — a trojan horse that has helped criminals steal banking information by keystroke logging since at least 2007.  It has impacted some very large companies.  Confidential access codes and passwords are stolen and used to empty bank accounts.  In 2010, the FBI identified an Eastern European crime ring that may have stolen $70M from U.S. banks using ZeuS.

It has now been reported that the ZeuS source code has been leaked and is available to the public.  It has been estimated that ZeuS sold for several thousand dollars, upwards of $10,000.  However, now that this is available for free on the internet, most experts are expecting that that we will see an increase in efforts to further exploit ZeuS or to create an even more challenging variant of the trojan to defend against.

The FTC as offered some suggestions to help prevent becoming the victim of a phishing scam:

  • If you get an email or pop-up message that asks for personal or financial information, do not reply.
  • Area codes can mislead.  If you need to reach an organization you do business with, call the number on your financial statements or on the back of your credit card. In any case, delete random emails that ask you to confirm or divulge your financial information.
  • Use anti-virus and anti-spyware software, as well as a firewall, and update them all regularly. Don’t email personal or financial information.
  • Review credit card and bank account statements as soon as you receive them to check for unauthorized charges.
  • Be cautious about opening any attachment or downloading any files from emails you receive, regardless of who sent them.
  • Forward spam that is phishing for information to spam@uce.gov and to the company, bank, or organization impersonated in the phishing email.

It is critical that anti-virus software be up-to-date and that steps are taken to better educate employees about phishing scams in order to help prevent a company, and consumers, from being victimized.  The Anti-Phishing Working Group (APWG) website is a good source for information regarding efforts to combat phishing scams and email spoofing.