Zeus is a prolific trojan that is designed to allow cyber criminals to break into corporate online banking accounts and allow criminals to transfer large amounts of money from company bank accounts.

A new version of the Zeus trojan has been detected that tries to steal Verified by Visa and Mastercard SecureCode passwords, allowing criminals to use corporate payment credit cards.

When users log into their online banking websites from infected computers, the new Zeus trojan will display a screen telling the user that they need to enroll their corporate credit card into the Verified by Visa security scheme. In reality, the criminals are stealing your data and can then use that to use your corporate credit card online illegally.

Mozilla has disabled a Firefox browser plug-in, Mozilla Sniffer, that steals your usernames and passwords and sends them to a third party website that cyber-criminals presumably use.

I will be speaking at the Atlanta Infragard A-List security training conference on August 25th.

I will talk about the evolving cyber-crime threat landscape that is targeting users of online banking systems. I’ll also review various ways that banks can deploy solutions to help protect their users. I’ll look at various protection types for consumer banking versus corporate banking systems and online trading systems.

If you would like to attend the Infragard meeting, you can find more information here: Atlanta Infragard A-List Conference.

Infragard is a partnership of businesses, the FBI, educational entities and the National Infrastructure Protection Center. This alliance is designed to protect IT systems from hacker attacks and other intrusions by providing a network for sharing information, anonymously, about attacks and how to protect against them.

11 alleged Russian spies have been arrested and charged with conspiracy to commit an offense against the United States by not registering with the attorney general. 9 of these individuals have also been charged with money laundering. Details on the people arrested are here. One couple is based in Cambridge, MA.

The FBI says that these spies not only used encryption to protect data on their laptops and USB flash drives, but that they also are suspected of using proprietary Russian-build steganography software to hide data inside images and other files on their computers.

Steganography is the technique of hiding information inside other documents or data, so that it cannot be detected. Combining steganography with cryptography can create systems of communications and data protection that are incredibly difficult to detect and to crack.

For example, imagine encrypting a data file using strong encryption, and then inserting that file as noise in the soundtrack or video stream of a large .wmv video file. Then posting that file to a website or sharing it on a bittorrent network for its intended recipients to download. If you communicate out-of-band (through an email or a phone call or SMS) to your recipients the name of the video file, and if there is a key sharing protocol (ie. they know the password to decrypt the data), then its highly likely that only that person will be able to know that the encrypted data is there, and be able to decrypt it.

If anyone else downloads the file, even using steganographic detection tools they are unlikely to detect the encrypted data. And even if they were able to extract it, they would still have to crack the encryption.

In fact, one wishing to communicate covertly would want other people to download the file, so that nobody monitoring networks can tell who the file is intended for.

In the case we are discussing today, the alleged Russian spies were detected sending data to known addresses of Russian government computers (we assume IP addresses). Using the technique I discuss, they would have been able to avoid such detection.

One other thing I found interesting about this article is that a 27 character password was required to access the steganographic data. Sounds like a great security measure to have such a long password. However, the agent wrote the password down on a piece of paper! In such a case, it would have been much more secure to use a shorter password that was more easily remembered.

White house cybersecurity coordinator Howard Schmidt has announced the NSTIC, the National Strategy for Trusted Identities in Cyberspace. The initiative is a blend of federated identities combined with government (or trusted third party)- issued digital identities (primarily in the form of digital certificates).

I do think that a national federated identity scheme requires strong authentication, at least for any site that can do transactions or reveal personal information (which is pretty much any site of value). I also think that the Federal government is one of the only hopes we have of achieving such a system, as it will require a big infusion of cash.

However, I am skeptical that this plan can be achieved, given the diverse interests of the private sector and the federal government agencies, and the myriad of agendas and technological approaches. Look, Microsoft has failed at this many times, and they control 90%+ of the computer desktops out there.

According to a research report by security firm SMobile Systems, about 20 percent of the 48,000 Android apps in the Android marketplace allow a third party to access the user’s data. This is typically apps sending SMS messages to premium phone numbers, or making phone calls on behalf of users.

Many of those applications are legitimate, but some are definitely malicious. Some of these applications do many of the things that spyware does: getting access to email and text messages, tracking phone call information and device location, etc.

At the 2010 Consumer Privacy Consultation conference, held in Calgary Alberta Canada this week, FTC officials met with their counterparts at the Office of the Privacy Commissioner of Canada (OPC) to discuss privacy issues related to cloud computing practices and their implications for individuals, organizations, and businesses.

Kathryn Ratte, a senior attorney in the FTC’s consumer protection bureau, said that existing privacy laws create a mish-mash of different privacy policies on the Internet, and that its almost impossible for consumers to compare the privacy practices of different companies.

“To compare the privacy policies of two companies is an almost impossible task.”

Privacy laws on the Internet typically rely on disclosure requirements for data collection and use, and on consumers being informed. “In some very basic sense it isn’t working,” said Ratte.

Recent weeks have seen online privacy concerns escalate in the minds of consumers and the media. Google is facing a high profile investigation of its data collection activities in relation to google street view, and Facebook has come under scrutiny for recent changes to their privacy policies and tools.

Some suggest that the FTC is considering increased regulation of cloud computing services. The ability of cloud services “to collect and centrally store increasing amounts of consumer data, combined with the ease with which such centrally stored data may be shared with others, create a risk that larger amounts of data may be used by entities not originally intended or understood by consumers,” said David Vladeck, Director FTC Bureau of Consumer Protection at a privacy roundtable meeting in January 2010 at Berkeley, CA.

It seems that it’s not only the customers of US, UK and Brazilian banks that are under attack from crimeware such as the Zeus trojan, that logs into online bank accounts and allows criminals to transfer funds from victims’ accounts.

Now customers of Eastern European banks are also under attack, according to security researcher Joe Stewart of SecureWorks. Joe says that the BlackEnergy2 trojan is now being used to break into online bank accounts of infected users who are accessing online banking sites in Russia and Ukraine.

In addition to allowing cyber criminals to fraudulently transfer funds, the trojan launches a Distributed Denial of Service attack (DDoS) on the bank. This prevents legitimate users from logging in, and distracts bank security and IT employees.

Police in Europe and the United States have arrested 178 people in 14 countries on charges of credit card fraud.

Apparently the investigation has found 120,000 stolen credit card numbers, and 5,000 cloned credit cards. Six card cloning labs have been seized.

Brian Krebs (krebsonsecurity.com) has posted an excellent blog post today. He’s even posted a picture of one of the credit card cloning labs, sourced from the Spanish Ministry of Interior.

Bank Info Security magazine today published an interview with Doug Johnson of the American Bankers Association (ABA) on the topic of corporate banking account takeovers by cyber criminals. Cyber criminals are increasingly using malware to steal online access to the bank accounts of small and medium sized companies and government agencies, and fraudulently transfer hundreds of thousands of dollars out of those accounts.

The interview is worth reading, and it can be found here.

When asked how big of a threat cyber criminal takeovers of Internet corporate banking accounts is, Mr. Johnson replied:

“Well, I think that the threat is very large. I think that the threat is not only a large one from the standpoint of the number of cases — which the FBI continues to observe are increasing for them. But I think the biggest risk that we face here, as it relates to the corporate account takeover, is the damage it does to the reputation of financial institutions and financial institutions’ customers, and the damage it does potentially to the relationship between our customers and our financial institutions. Because I do believe at the end of the day this is all about shared responsibility. Both financial institutions as well as financial institution customers do have a responsibility to have skin in the game to protect accounts, and I think that it is only through that active partnership that they were able really to address the current threat.”