Zeus At Home, But Then Who Really Cares?

According to ComputerWorld, it looks like Zeus malware distributors are developing a new attack strategy, targeting businesses more than banks.  Zeus has been typically used to steal online banking credentials,  but has started angling for home computers and VPN access into the soft, mushy insides of the corporate network. 

It would seem there is less network protection at home, fewer tracking mechanisms, and just as much or more value to be had within the various Small, Medium, and Enterprise sized businesses that this tactic exposes their tools to.  Criminal groups that use Zeus have started trying to find out where their victims work by popping up fake online bank log-in screens that ask the victims for their employer’s name.

We trust our employees, but because most of the security work goes on in the corporate environment behind the red curtain, they don’t understand security, their home computers and laptops are not as well protected outside of the corporate perimeter.   Zeus provides a powerful tool for corporate espionage, letting criminals remotely control victim computers, search files, capture passwords and log keystrokes.  Hackers could use the victims’ home PC to break into corporate systems by by-passing a large portion of the protective controls deployed within an organization. 

Employees take risks at home that they would not necessarily take at the office because no one is watching.  The risk they understand is getting caught, not getting compromised.  The Internet remains a target rich environment as awareness is lacking, and lackadasical complacancy is the norm.  Without perceived and pernsonal consequence, there is no security beyond that which is ENFORCED.

Agree?  No?  How come?

Advertisements