New malware threat to cloud-based payroll service providers
25 April 2012
A new strain of the Zeus banking Trojan has been identified, and this time its target is cloud-based billing service providers and payroll solutions providers.
Researchers have discovered a new variant of the data-stealing malware, which has formerly been used by criminals to obtain banking credentials that they then use to access corporate accounts. However, in this latest case the Zeus configuration targets Ceridian, a Canadian human resources and payroll solutions provider. Zeus captures a screenshot of a Ceridian payroll services web page when a corporate user whose machine is infected with the Trojan visits this website. This allows the criminal to steal the user id, password, company number and the icon selected by the user for the image-based authentication system.
The financial losses associated with this type of attack are significant, since cybercriminals could use it to add fictitious employees to payroll systems and siphon off funds. In addition, by using these valid credentials, fraudsters can also access personal, corporate and financial data without the need to hack into systems, while leaving very little evidence that malicious access is occurring.
And the expectation is that we will see increased cybercriminal activity using this type of fraud scheme, not least because targeting enterprise payroll systems enables attackers to siphon much larger amounts of money than by targeting individual consumers. In addition,
by targeting a cloud service provider, the criminals are bypassing tight security mechanisms that are typically employed by medium to large enterprises. In a cloud service provider environment, the enterprise customers who use the service have no control over the vendor’s IT systems and thus little ability to protect their back-end financial assets.