Bach Seat

A New York school district was a victim of an apparent Zeus trojan attack which appears to have netted nearly $500,000. InformationWeek is reporting that the FBI and New York State Police Cyber Crime and Critical Infrastructure Unit are investigating an attempt last month to steal about $3.8 million from the Duanesburg Central School District near Schenectady, New York.

According to the January 6 article, online thieves made a series of unauthorized funds transfers from the school district’s NBT Bank account to an overseas bank between December 18 and 22, 2009. The third transfer during this period was flagged as abnormal activity by the bank, which began blocking pending transactions after the school district confirmed the transfers had not been authorized. Working with foreign banks, NBT Bank recovered about $2.5 million out of $3 million stolen during the four-day period, but two previous unauthorized transactions were discovered.

“Thanks to NBT Bank’s aggressive pursuit of the stolen funds, we are fortunate that the vast majority of the money has been recovered,” wrote Superintendent Christine Crowley in a letter on Monday to district parents and community members. “However, $497,200 of Duanesburg taxpayers’ money is still missing, and we are committed to doing everything in our power to recover the remaining funds.”

The district website says, “At this time, we do not have any more information on how this happened and do not expect to have any more information to share until the investigation concludes.”

Security researchers at Trusteer point out in a recent DarkReading article that Zeus is detected only 23 percent of the time by up-to-date anti-virus applications. The massive Zbot botnet is made up of 3.6 million PCs in the U.S., according to Damballa data  The malware steals users’ online financial credentials and moves them to a remote server, where it can inject HTML onto pages rendered by the victim’s browser to display its own content mimicking, for instance, a bank’s Web page.

“Zeus’ infection rate is higher than that of any other financial Trojan. We are seeing actual fraud linked to Zeus — accounts being compromised, [and] money transferred from accounts of customers infected with Zeus,” Mickey Boodaei, founder and CEO of Trusteer told DarkReading. “When we investigate some of our banking customers’ [machines infected by it], we find evidence of abuse on the computer, so we know this crime ring is very active and dangerous.”

The security blog says that organizations can’t control the transmission vectors, which are increasingly social networking and/or webmail applications. Given the high degree of user trust and huge user populations, malware developers have been targeting social networks aggressively (webmail is a well-established transmission vector). Some of the threats come in the form of social network-specific threats (e.g., koobface, fbaction), but many times they’re re-using existing or older threats delivered in a new, hybrid way – exploiting the trust associated with social networks – which has given threats like Zeus a huge boost. If you can’t control the transmission vector, it’s much harder to manage the threat…especially when users click first, and think later.

Related articles

• Court Order Allows Microsoft To Retain Control Of Zeus Botnets (techweekeurope.co.uk)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.