It’s been a long time since I wrote about the Zeus banking trojan and its family, but a relative of Zeus, called Terdot, is making a comeback. Bitdefender was the first to discover the updated Terdot, which made its introduction more than a year ago. In a blog post, the researchers stated that while Terdot is technically a banker trojan, like the original Zeus, this variation has the ability to spy on social media and email platforms. Tara Seals at Infosecurity Magazine explained:
the malware can notably inject HTML code into visited web pages to carry out MiTM [Man in the Middle] attacks. . . . Bitdefender researchers said that samples show the trojan targeting users of various web services such as Yahoo Mail and Gmail. Interestingly, the malware is specifically instructed not to gather any data from vk.com, Russia’s largest social media platform.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
Or, as the headline for The Register’s article on Terdot teased, this trojan can even fake-post to Twitter.
We should expect to see more variations of Zeus and similar malware, and we should expect them to expand their attack landscape. Hackers will continue to refine these trojans for new targets, Don Duncan, sales engineer for NuData Security, told me in an email comment, and they will continue to do so without user knowledge:
Users surfing websites, especially when they are in a rush and not paying attention – which is what usually happens during the holidays – overlook this kind of anomalous activity. This is a wake-up call for all online companies who trust their users based on the device information; it is time for them to change their authentication frameworks.
Defending against Terdot will be tricky, as Manoj Asnani, VP Product and Design with Balbix, pointed out to me in an email comment, because the trojan relies on both phishing and Man in the Middle as its attack vectors. If you have good comprehensive security and breach coverage, you have a good front line of protection. But we all know that where phishing is in play as an attack vector, you will have a struggle defending against human error, especially against malware that targets social platforms. That’s why Duncan recommended adding another layer to the security system: behavior of those using your system:
It is crucial to understand customers beyond the physical world (device, location, and connection) and start evaluating deeper levels of intelligence such as behavioral patterns. This behavioral evaluation should be combined with intelligent friction that can be automatically added when there is an anomaly or a suspected risky behavior only. Layers that evaluate behavior such as passive biometrics can stop fraud before it happens – even if the credentials and device information are correct – without adding any friction to the real customer.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba