LONDON - No one knows who lies behind Zeus, the notorious malware. Security experts believe he or she is Russian, but no one is completely sure. But what they all agree is that Zeus is the most pernicious "trojan horse" - a destructive program disguised as an application - on the internet. During the last four years it has infected millions of PCs, taking control of the computer and stealing personal banking details.
Zeus may be one of the most difficult types of malware to detect - but the great fear among cybercrime experts is no longer your home computer. A new strain of Zeus, dubbed "Zitmo" (it stands for "Zeus in the mobile") has begun to exploit a huge hole in personal banking security: The smartphone.
This malicious new version of Zeus has sparked intense concern among security companies. The chief executive of Trusteer, Mr Mickey Boodaei, said in a blog: "Bad news: Fraudsters have all the tools they need to effectively turn mobile malware into the biggest customer security problem we've ever seen."
But it's not just Zeus that smartphone customers should be worrying about, according to Mr Alex Fidgen of MWR InfoSecurity, one of the biggest cybercrime-busting outfits in Britain. It legally hacks into computers to test and improve security. More recently it has turned its attention to smartphones and found that it can crack open every new handset it sees.
"The mobile phone industry is not fit for purpose, especially for financial transactions," said Mr Fidgen. "The evidence is irrefutable. You cannot be assured of security with modern smartphones. As soon as the handset is compromised, then any data is up for grabs."
Mr Fidgen said the fault lies with the handset manufacturers not the network providers or banks. In the race to bring new phones and new features to the market, many have left security low on the agenda. Yet modern smartphones are in effect PCs with phones attached and, particularly when they are used in public Wi-Fi hotspots, they can become fatally compromised.
Trojans can enter a smartphone in many devious ways. All you have to do is click on a link or attachment that contains the virus, and within seconds it can secretly seize control of the phone. That link might be a tinyurl in Twitter. The attachment could be a vCard, the standard format for sending a business card to a phone.
Or you could be accessing a website in a cafe. At Wi-Fi hotspots, fraudsters create bogus gateways, known as "evil twins", to which the latest mobile phones will automatically connect. Once a connection is established, all the information passing through the gateway can be read directly or decrypted, allowing fraudsters to harvest user names, passwords and messages.
Until now, these attacks have been rare. But experts say that's just because smartphones are still taking off. "We're walking into a minefield," said Mr Fidgen, who has been warning about the risks of mobile banking for several months, "but nobody's bloody listening".
In a demonstration by MWR InfoSecurity, security consultant Mr David Chismon showed how easy it is to hack into smartphones. He clicked on an innocent-looking attachment sent in a text message, which contained a trojan, and within seconds installed itself on the phone as a bugging device. Even when we switched the phone off, in reality it was still on, and every 30 seconds it sent a recording of the user's conversations to the hacker's computer. It also began keystroke-logging and form-grabbing, to identify banking passwords.
We asked the banks for their views, but they told us that, as long as users take sensible precautions, customers should not be put at risk. A bank said: "We're committed to making our customers' mobile banking experience as safe as possible. We use the latest online security technology to protect our customers' personal information and privacy, and we guarantee to refund any money lost in the unlikely event of the customer experiencing fraud using mobile banking."
Zeus is such a worry because it's not one criminal gang but cells of them operating across the globe. At its heart is a Russian developer who produces the source code and then licenses the program to numerous fraudsters in the criminal underworld. This software genius regularly sends out patches and updates so that every time it is detected, Zeus bounces back again.
Don Jackson of Dell's security arm, SecureWorks, is the person who first discovered Zeus in 2007, and he has been pursuing it doggedly ever since.
"Zitmo has all the hallmarks of the original author of Zeus. This brand new version is his flagship new product which he's making available to a select few. He writes it, sells it for huge amounts of money, and even supports his 'customers' to rid it of any bugs that develop," he said.
Mr Jackson says: "We think there is an inner circle of two to 10 people, then as many as 100 working in the individual gangs. Most of the guys operate out of Russia and Eastern Europe, but they do have a large presence on the ground in the US and the United Kingdom. They can't just operate behind a keyboard.
"Sometimes they have to cash in the accounts and wire money over," he added. "We work a lot with government and law enforcement agencies. Zitmo/Zeus operators are now ranked as the number one security threat. This is a very, very capable group." THE GUARDIAN
Zeus may be one of the most difficult types of malware to detect - but the great fear among cybercrime experts is no longer your home computer. A new strain of Zeus, dubbed "Zitmo" (it stands for "Zeus in the mobile") has begun to exploit a huge hole in personal banking security: The smartphone.
This malicious new version of Zeus has sparked intense concern among security companies. The chief executive of Trusteer, Mr Mickey Boodaei, said in a blog: "Bad news: Fraudsters have all the tools they need to effectively turn mobile malware into the biggest customer security problem we've ever seen."
But it's not just Zeus that smartphone customers should be worrying about, according to Mr Alex Fidgen of MWR InfoSecurity, one of the biggest cybercrime-busting outfits in Britain. It legally hacks into computers to test and improve security. More recently it has turned its attention to smartphones and found that it can crack open every new handset it sees.
"The mobile phone industry is not fit for purpose, especially for financial transactions," said Mr Fidgen. "The evidence is irrefutable. You cannot be assured of security with modern smartphones. As soon as the handset is compromised, then any data is up for grabs."
Mr Fidgen said the fault lies with the handset manufacturers not the network providers or banks. In the race to bring new phones and new features to the market, many have left security low on the agenda. Yet modern smartphones are in effect PCs with phones attached and, particularly when they are used in public Wi-Fi hotspots, they can become fatally compromised.
Trojans can enter a smartphone in many devious ways. All you have to do is click on a link or attachment that contains the virus, and within seconds it can secretly seize control of the phone. That link might be a tinyurl in Twitter. The attachment could be a vCard, the standard format for sending a business card to a phone.
Or you could be accessing a website in a cafe. At Wi-Fi hotspots, fraudsters create bogus gateways, known as "evil twins", to which the latest mobile phones will automatically connect. Once a connection is established, all the information passing through the gateway can be read directly or decrypted, allowing fraudsters to harvest user names, passwords and messages.
Until now, these attacks have been rare. But experts say that's just because smartphones are still taking off. "We're walking into a minefield," said Mr Fidgen, who has been warning about the risks of mobile banking for several months, "but nobody's bloody listening".
In a demonstration by MWR InfoSecurity, security consultant Mr David Chismon showed how easy it is to hack into smartphones. He clicked on an innocent-looking attachment sent in a text message, which contained a trojan, and within seconds installed itself on the phone as a bugging device. Even when we switched the phone off, in reality it was still on, and every 30 seconds it sent a recording of the user's conversations to the hacker's computer. It also began keystroke-logging and form-grabbing, to identify banking passwords.
We asked the banks for their views, but they told us that, as long as users take sensible precautions, customers should not be put at risk. A bank said: "We're committed to making our customers' mobile banking experience as safe as possible. We use the latest online security technology to protect our customers' personal information and privacy, and we guarantee to refund any money lost in the unlikely event of the customer experiencing fraud using mobile banking."
Zeus is such a worry because it's not one criminal gang but cells of them operating across the globe. At its heart is a Russian developer who produces the source code and then licenses the program to numerous fraudsters in the criminal underworld. This software genius regularly sends out patches and updates so that every time it is detected, Zeus bounces back again.
Don Jackson of Dell's security arm, SecureWorks, is the person who first discovered Zeus in 2007, and he has been pursuing it doggedly ever since.
"Zitmo has all the hallmarks of the original author of Zeus. This brand new version is his flagship new product which he's making available to a select few. He writes it, sells it for huge amounts of money, and even supports his 'customers' to rid it of any bugs that develop," he said.
Mr Jackson says: "We think there is an inner circle of two to 10 people, then as many as 100 working in the individual gangs. Most of the guys operate out of Russia and Eastern Europe, but they do have a large presence on the ground in the US and the United Kingdom. They can't just operate behind a keyboard.
"Sometimes they have to cash in the accounts and wire money over," he added. "We work a lot with government and law enforcement agencies. Zitmo/Zeus operators are now ranked as the number one security threat. This is a very, very capable group." THE GUARDIAN