The recently started LinkedIn spamming campaign that delivers the ZeuS Trojan – or, according to some, the Bugat Trojan – has been tied to a gang that uses the malware to plunder Charles Schwab investment accounts.
The fake LinkedIn messages offer a link that takes the victims to malicious sites that install the banking Trojan on their computers by taking advantage of various vulnerabilities. The bot then waits until the users access their accounts via online banking and records and forwards the information to the criminals.
The attack also consists of a bogus pop-up form that requires the victim to provide additional information such as driver license number, name of employer, and more – information then used by the criminals to confirm their ownership of the account when they access it.
According to ComputerWorld, evidence that the criminals are targeting Charles Schwab accounts surfaced during an analysis of the malware by security firm Fortinet. They speculate that the criminals used fake LinkedIn messages because they surmised that there was a very high probability that a LinkedIn member would own an investment account.
And not only have these investment accounts been emptied of all the cash they contained, but criminals could also have sold securities tied to the account in order to steal more money.
According to Fortinet, the C&C centers to which the credentials are sent are still functioning, and accounts are still being compromised. As satisfying as it was to hear of the arrests of more than 100 members of ZeuS gangs a couple of weeks ago, it seems that the war against such criminals is just beginning.