20 July 2018
The Joy of Fraud Fighting
Uri Rivner

The Joy of Fraud Fighting

Uri Rivner - BioCatch

79Posts 379,541Views 36Comments
Online Banking

Online Banking

This community is for discussion of developments in the e-banking world, including mobile banking. This can include all the functional, business, technical, marketing, web site design, security and other related topics of Internet Banking segment, including public websites of the banks and financial institutions across the globe.

Cheeky Fraudsters Tap Amazon Cloud

09 December 2009  |  4731 views  |  0

Amazon EC2 is one of the most amazing feats of cloud computing infrastructure in existence. This is the place to go if you need an on-demand, virtually endless capacity for hosting applications. Geeks’ eyes brighten when you mention the name. If something embodies the Cloud, it is probably EC2.

And if something embodies the Dark Cloud, it is the notorious Zeus Trojan, also known as the Zbot.

Now the two join forces. The Dark Cloud directly uses the Cloud to scale up and protect its operations.

CA researcher Methusela Cebrian Ferrer published a blog revealing how fraudsters operating a Zeus Trojan tap Amazon’s cloud computing platform for their sinister needs. The Trojan is spread by sending fake Christmas greeting cards that lead to an infection site, often a legitimate site that was hijacked (drive by download).

Alex Vaystikh, a top malware researcher in RSA, brought this breaking news to my attention (thanks Alex!) and I asked him to talk a bit about the use of EC2 in the attack.


Q: Before talking about the Cloud usage, what can you say about this specific Zeus Trojan?

A: we too detected and analyzed this crimeware. I checked it against all leading anti-virus companies using a service called VirusTotal. Hardly anyone was capable of detecting this Trojan at that point. This changed by now; most AVs already detect it.


Q: What specific use do the fraudsters have for EC2?

A: They host the latest Trojan variants at EC2, as well as the configuration files with the various triggers for stealing data. So when the user’s PC gets infected, the latest variant and configuration file is pulled in real time from EC2.

But that’s just the beginning. They also host the ‘drop zone’ for the Trojan’s stolen data in EC2. That’s where all of the stolen records go to. In Zeus we talk not just about online banking passwords and credit cards, but a huge amount of other data: Zeus typically grabs HTML forms, records from a huge amount of triggered sites, and almost every HTTPs site (due to the more sensitive nature of data in such sites). It’s not a key logger: it virtually grabs all your communication. This requires a big, always-available space to store the data, parse it and query it for useful information.


Q: Does hosting the drop zone in EC2 make it more difficult to intercept?

A: Amazon isn’t a regular ISP, and a huge amount of legitimate users tap their cloud computing services at any given point of time. On-demand instances cost less than 10 cents per hour, making the service extremely popular. It’s hard to expect Amazon to quickly respond whenever a drop zone or a malware content server is found, so hosting in EC2 makes it a bit more difficult to intercept when compared to a regular drop zone hosted in a standard ISP.


Q: Is this the first known link between the Dark Cloud and the Cloud?

A: When it comes to cybercrime, it probably is. Spam is already known to emanate from EC2 – Brian Krebs from the Washington Post blog Security Fix wrote about it over a year ago. It should be noted that right now this seems to be an early bird; a “proof of concept” in white hat lingo. But it’s only a matter of time until cybercrime use of cloud computing grows.


Let us summarize. Zeus, king of the Dark Cloud, now taps Amazon EC2, famously known as one of the pillars of cloud computing. Endless scalability, availability and resilience are now at the fingertips of cybercriminals. This isn’t the most shocking piece of breaking news we had this year, but it all adds up. 2009 stands out as a year in which the Dark Cloud shaped out to be a major threat in our lives.

Oh, and don’t open fake Christmas e-Cards J


Comments: (0)

Comment on this story (membership required)

Latest posts from Uri

World Cup: When Russia plays, what happens to Global Cybercrime?

11 July 2018  |  5275 views  |  1 comments | recomends Recommends 0 TagsPaymentsRisk & regulationGroupInformation Security

Brazil vs. Germany: A Surprising Find

12 July 2014  |  4050 views  |  1 comments | recomends Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

Sweetheart Scams: When Fraudsters Turn to Romance

30 June 2014  |  3322 views  |  0 comments | recomends Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

BitCoin Explained: How to Become a BitCoin Thief - part 1

04 December 2013  |  22812 views  |  1 comments | recomends Recommends 1 TagsMobile & onlinePaymentsGroupInformation Security

Uri's profile

job title Chief Cyber Officer
location Tel Aviv
member since 2008
Summary profile See full profile »
Internet. The perfect fraud frontier. These are the thoughts of Uri Rivner, Chief Cyber Officer at BioCatch and formerly Head of new technologies, identity protection, at RSA. His continuing mission:...

Uri's expertise

Member since 2008
78 posts36 comments
What Uri reads

Who's commenting on Uri's posts

Janne Jutila