CYBERSPACE – When the malware known as Zeus first reared its ugly, keystroke-logging, form-grabbing head over 10 years ago, it was used to target a variety of government and corporate entities, including the U.S. Department of Transportation, the massive consulting firm Booz Allen Hamilton and satellite provider Hughes Network Systems.
Just over two years ago, a new variant of Zeus emerged which was used to target banking, which was referred to as “Panda Banker” and “ZeuS Panda.” Spread through a variety of vectors, including word document macros, phishing emails and drive-by downloads, Panda Banker quickly insinuated itself into networks across the globe.
While Panda initially was used to target financial services and service providers almost exclusively, researchers from F5 Labs recently observed an expansion in Panda’s targets, which now include social media platforms, cryptocurrency exchanges and adult websites.
“Panda is still primarily focused on targeting global financial services, but following the worldwide cryptocurrency hype, it has expanded its targets to online cryptocurrency exchanges and brokerage services,” F5 researcher Doron Voolf wrote in his analysis of the malware. “Social media, search, email, and adult sites are also being targeted by Panda.”
F5 looked at four Panda campaigns active between February and May, with three of the May campaigns still active at this time. Voolf wrote that all the campaigns in may targeted the same social media, search, email, ecommerce, and tech providers.
Voolf observed that the expansion of Panda’s targets to the adult market should not come as a shock, given the popularity of online porn.
“Adult sites were also targeted by Panda in May,” Voolf wrote. “We have been seeing an expansion of banking trojan targets into other industries that collect payment information and other forms of personally identifiable information (PII), so this behavior is not surprising given the size of the adult industry and potential revenue generation for fraudsters.”
In the February Panda campaign analyzed by F5, which Voolf has dubbed the “Onore2 campaign” after the botnet used to drive the campaign, the exploit leveraged the same forms of attack which have always been associated with Zeus, including keystroke logging, clipboard pastes, web injects, screen shots of user activity and exploits to the Virtual Network Computing (VNC) desktop sharing system.
“The Onore2 campaign targeted two industries: financial services and cryptocurrency sites,” Voolf observed. “The majority of the targets were financial services sites in Italy at 51%, followed closely by cryptocurrency targets used worldwide at 49%.”
Pornhub was among the targets of the May Panda campaign Voolf researched – but the massive porn site was in good company, underscoring the fact the issue isn’t that Pornhub is particularly vulnerable, or lax in its security. Rather, the site is always a likely target of malware campaigns, simply because of its popularity and profile.
In addition to Pornhub, other targets of the May campaign (“2.6.8” – again named for the botnet which drove it) include “the ecommerce giant Amazon; entertainment platform Youtube; Microsoft.com, Live.com, Yahoo.com, Google.com, likely targeting email accounts; the social media leaders Facebook and Twitter; as well as a Japanese adult site Dmm.co.”
As has always been the case, the only defense businesses have against exploits of this sort is to stay on top of common points of vulnerability in their networks and following the advice and best practices recommended by cybersecurity experts. While researchers like Voolf can track and analyze the threats, it’s still up to individual businesses (and consumers) to protect themselves by way of constant vigilance.
“We will continue to look for patterns by monitoring this activity and the networks and services from which they are choosing to launch their activities,” Voolf said. “In the meantime, we highly recommend all businesses maintain up-to-date patches on endpoints and ensure AV controls are continuously updated so their systems don’t get infected with this malware. To protect your business from infected consumers that cause costly fraud investigations, monetary returns, and so on, we recommend instituting advanced web fraud protections because this customized security control is not just for banks anymore!”
