Akamai's Prolexic Security Engineering and Response Team (PLXsert) has detected a new set of webinject tools used in conjunction with the Zeus malware to steal online banking credentials and perform fraudulent funds transfers.
"PLXsert has identified more than 100 financial institutions for which active webinjects are available in the wild. Most are mid-size and large financial institutions in North America and Europe," said Akamai security business unit senior vice president and general manager Stuart Scholly.
Webinjects - the insertion of custom elements into web pages - are nothing new. They are often used by malware to collect and exfiltrate credentials for banking and other websites.
This may be done under the guise of an "additional authorisation process" or similar, with each webinject customised to match the look and feel of the relevant organisation's real website.
Where online banking credentials have been obtained or a legitimate session established, the malware may immediately transfer funds from the victim's account.
The PLXsert report [registration required] suggests the first line of defence is user awareness. Learning to recognise suspicious emails ("Red flags are generic salutations, grammatical errors in URLs, unexpected attachments, and attachments sent from unknown entities") helps prevent the Zeus malware from reaching a computer in the first place.
Endpoint security software can help, but PLXsert warns "there may be very low levels of detection for some threats."
At the network level, deep packet inspection and the blacklisting of illegitimate URLs provides some protection.
"PLXsert anticipates the underground crimeware ecosystem will continue to produce new and more powerful tools like Yummba webinjects to take advantage of the massive number of exploited devices on the Internet," said Akamai.