Computerworld reports that the attacks come from messages disguised as LinkedIn reminders that include links to malicious sites, which then hits the Windows PC with numerous drive-by exploits, looking for one that works. Once Zeus finds its way onto a PC, it silently captures log-in credentials for numerous online banks, including usernames and passwords for Schwab accounts. But it does something else:
The attack code also injects a bogus form that asks victims to provide additional information the thieves can later use to confirm that they are the legitimate owner of the Schwab investment account. On that form are fields asking for the user's mother's maiden name, driver license number and employer.
Manky says the fake form can appear while a user is on the legitimate Schwab site, making it impossible for the user to know the form was bogus. With this valuable information in hand, thieves can not only pillage accounts for cash, but also sell securities to restock the cash account for further withdrawals.