Can You Fear Me Now? Tricky Trojan Snares Verizon Wireless Customers
CREDIT: Verizon Wireless
If you are a Verizon Wireless customer, and you paid your bill online between May 7 and May 13, you may be at risk of identity theft.
For that six-day stint, customers going to Verizon Wireless' website may have fallen prey to a clever and virtually undetectable scam.
Anyone whose PC had already been infected by a specific "banking Trojan" would have been silently redirected to a fake Verizon Wireless page hosted on another website, which would have asked them to fill in essential personal information.
The Verizon Wireless site itself was not infected. The malware would simply have waited until the victim went to that site and tried to pay a bill.
The data that each victim was "required" to provide included full name, phone number, country of citizenship, date of birth, Social Security number, mother's maiden name, credit card number, credit card expiration date and credit card security code.
Among online criminals who specialize in credit-card and identity theft, that set of information is the "keys to the kingdom."
The scam was discovered by the Israeli online-banking security firm Trusteer, which found it in a variant of the SpyEye banking Trojan.
Beware the 'man in the middle'
SpyEye uses what expert call a "man-in-the-middle" attack. It silently plants itself in your browser, waiting until you go to a website that involves financial transactions, such as a banking site.
It then redirects you to a Web page that looks identical to the page you expect to see, except that any info entered on the spoofed page goes straight into a cybercriminal's hands.
Banking Trojans are doubly deceptive. Since you often encounter one simply by going to a poisoned website, you're not even aware you've been infected; and since it mimics routine banking and bill-payment activity, you're not aware you've put yourself at risk.
In this case, because the phony payment page appeared only after the user had already logged into Verizon Wireless's genuine website, Verizonwireless.com, it didn't set off any immediate alarms.
"Since the user has logged on and has navigated to the familiar billing page, they have no reason to suspect this request for payment information is fraudulent," Trusteer CEO Amit Klein said in a blog posting.
Klein did not explain why the Trojan had only a six-day window of operation.
SpyEye is itself a variant of the bank-account- stealing Zeus Trojan, which has fleeced millions of dollars out of online banking customers around the world.
(Coincidentally, perhaps, the source code for the Zeus Trojan was leaked less than a week ago.)
"While this attack is not technically new, it continues a financial malware trend we have been tracking in recent weeks: a shift away from stealing usernames and passwords to stealing payment and credit card data," Klein wrote.
Verizon Wireless confirmed the attack to MSNBC's Bob Sullivan, but also said the attack had no direct impact on its systems, and that only customers whose computers had already been infected by the the SpyEye Trojan would have been affected.