Security Experts:

Zeus Found Targeting Canadian Payroll Processor

Researchers at Trusteer have spotted a new attack vector from Zeus that aligns perfectly with previous financially motivated targets. Based on the information collected and previous attacks, it appears as if the newer Zeus configurations will remain focused on the bigger fish.

Trusteer managed to capture a Zeus sample that is targeting Ceridian, a Canadian HR and payroll services firm. Once installed on a compromised host, Zeus will capture a screenshot of Ceridian’s client portal, allowing the malware’s controller access to the User ID, Company Number, and the image-based authentication icon. In addition, the keylogging aspect of the malware will ensure that the password is compromised. With this information in hand, the attacker can compromise the account at will.

Trusteer notes that compromises such as this one can be devastating to a company. Last August, criminals walked with more than $200,000 after compromising a system used by the Metropolitan Entertainment & Convention Authority (MECA).

Such scams are expected to increase, Trusteer notes, because enterprise payroll systems offer access to larger sums of cash. Moreover, access to a large organizations payroll system allows the attackers a better chance of funneling money out to mules before any red flags are raised.

Not to mention, there is a good chance that cloud-based payroll systems are able to be accessed with unmanaged mobile devices, allowing the crooks an additional avenue of compromise that could go undetected for some time.

The larger problem however, is one that most companies have no real means to defend against; as it’s out of their control once they use external services.

“By targeting a cloud service provider, the criminals are bypassing tight security mechanisms that are typically employed by medium to large enterprises. In a cloud service provider environment, the enterprise customers who use the service have no control over the vendor’s IT systems and thus little ability to protect their backend financial assets,” said Trusteer’s Amit Klein in a blog post.

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.