Huge number of banking malware applications is using IM (instant messaging) to deliver stolen credentials to thieves in real time. The latest novelty is Trojan called Zeus which monitors actions on infected personal computer to get passwords entered into banking websites and other financial services.Previously, “Zeus” uploaded the credentials to a server database, which scammers periodically checked. The new method employs PHP scripts that automatically send credentials as soon as they're intercepted. That allows thieves to retrieve the information much more quickly than would otherwise be possible (e.g. phishing). Also, investigators from RSA FraudAction Research Lab have observed the program, which goes by the name Tropig and Mebroot, which use Jabber IM protocol. Sean Brady, manager for identity protection and verification at RSA said: "One of the things that has definitely changed in recent times is that the half life of a stolen credential is decreasing". As a growing number of banks adopt the use of one-time passwords, the need for speedier delivery mechanisms is growing. The IM scripts are highly customizable so they can be used to attack single institution or some group of institutions. RSA researchers observed one version of Zeus that IMed credentials for customers of a single US-based financial institution. In another case, the Trojan sent credentials for five pre-set institutions. More detailed new can be read on TheRegistar website.
