The investigation by RSA of a number of variants of Zeus showed that some cyber crooks had begun utilizing the Jabber IM (instant messaging) service to leverage compromised user details.

By employing Jabber, online criminals were able to receive stolen information immediately as it was gathered from a Zeus infected computer.

The security researchers state that the components of Jabber IM, which had been put inside the Zeus variants, were programmed in such a way that they extracted the credentials of users from the database of the Zeus' "drop" server, and instantly transmitted the same to the remotely-situated criminals.

Nevertheless, online criminals might not necessarily get the hacked credentials, which are contained in the Trojan "drop" server, in real-time. The hackers might be sitting other side of the globe or might not be having an uninterrupted link with the server.

Therefore, crooks are employing the Jabber IM for automated dispatch and receipt of hacked credentials that immediately follow their collection. As for the current instance, the cyber criminals utilize twin Jabber accounts, one that transmits targeted compromised details from the database of the infected server and another that receives those details.

Commenting on the point, the researchers stated that the incident indicated scammers' increasing focus on immediacy as they made efforts to beat measures implemented for identification and avoidance of banking scams.

Sean Brady, Senior Manager for Identity Verification and Safeguard at RSA, said - a definite change, which had occurred recently, was that there was a decline in the delay of using stolen credentials, as reported by TheRegister on August 27, 2009. Brady added that the fraudsters surely acted urgently to exploit the credentials.

Meanwhile, RSA found that the first Jabber crime that the company traced extracted hacked user details from only one financial institution that was based in the USA, suggesting a targeted Zeus assault related to IM.