I have officially been struck by Zeus!
Zeus (or whatever it’s called these days) is a virus, trojan, spyware, malware, phishware, backdoor intruder (you get the idea). What it does: shows a fake “security” form when you log into your bank account, Paypal, and probably other sites as well.
The insidious part: it appears to be part of the site you visit, effectively “cloaked” as a legitimate page! I only got suspicious when I logged into Paypal and they appeared to be asking for the same kind of security information that Wachovia did.
How to tell it’s a fake form, even when you think you’re logging into your real account
- The grammar is bad or the spelling is wrong.
- They ask for the PIN to your debit or credit card. I was fooled by that because I was logging into my bank account. It seemed okay for the bank to verify my identity with my PIN. Now I know that a good rule to follow is, if they ask for your PIN, stop and figure out if it’s legit!
- Using the TAB key to navigate from one form field to the next doesn’t work right. Sounds odd, but this was true in my case. As I tabbed through the form that was (I thought) at my bank’s site, it didn’t move me from field to field in a logical order. For example, when filling in your birthdate, hitting TAB from the Month field should (logically) move you to the Day field, then the Year field, and so on. This fake form did not. Instead, it would jump around, like from my birthdate month to the credit card number field. At the time, I thought, ‘Gee, my bank need to fix the tab order of these fields. How annoying!’ *sigh*
At first, I wondered if sites were simply verifying accounts due to recent browser hacks. But one of the things the form asks for is the PIN to your debit or CC card. Paypal doesn’t need that info.
That’s when I emailed Paypal and asked why they need my PIN. They replied and said that they have no record of ever asking for my PIN.
So then I ran my free edition of Malwarebytes’ Anti-Malware (MBAM). Much to my surprise, it found 40 infections!!! That’s more than it found when I was infected by “Internet Security 2010″ last week. That gem is a fake anti-virus program which also drops several trojans in your computer, disabling Task Manager and Program removal in the process.
Yeah, so I was floored. I told MBAM to remove all the infections, of course.
But I had already submitted my information when the form appeared after my banking login screen.
So I called my bank to report the issue and cancel my debit card. They transferred me to the Online Fraud department and a gentleman who knew all about this fake form and told me that it is called the Zeus Virus.
Fortunately, this rep was able to immediately kill my debit card, PIN, and login details. He also said that he didn’t see any suspicious login activity, and so far there are no fraudulent transactions or purchases.
Unfortunately, my information was submitted to who-knows-where, and I’m at a big risk for identity theft. 
My bank has offered me the free services of their Identity Theft Assistance Center to monitor my credit and catch any attempts to take out loans, credit cards, etc., in my name.
Geeky stuff
I saved the source code from the Paypal form to include when I contacted Paypal Support. If any industrious geeks want to see it, you can download it here as a TXT file. I believe it works on the same basic idea as Goored, which executes a remote Javascript to take over your browser’s destination.
Also, I upgraded Malwarebytes’ Anti-Malware so I would have real-time monitoring in case anything tries to attack me again. I’m glad I did, because there is apparently something still lingering on my PC. Every once in a while, MBAM blocks an attempt to access a known malware IP address.
I was able to get rid of the active infections by following the Malware and Spyware Cleaning Guide from the GeeksToGo forums. They also have free instructions on how to remove a number of more popular infections. GeeksToGo is run by volunteer geeks who donate time to answer the problems that stump the less geeky.
Since MBAM has been blocking malware IP addresses, even after I did all the recommended cleaning, I think the only way to be completely rid of the entire infection is to repair my Windows installation.
0 responses so far ↓
There are no comments yet...Kick things off by filling out the form below.
Leave a Comment