Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Zeus Found Targeting Canadian Payroll Processor

Researchers at Trusteer have spotted a new attack vector from Zeus that aligns perfectly with previous financially motivated targets. Based on the information collected and previous attacks, it appears as if the newer Zeus configurations will remain focused on the bigger fish.

Researchers at Trusteer have spotted a new attack vector from Zeus that aligns perfectly with previous financially motivated targets. Based on the information collected and previous attacks, it appears as if the newer Zeus configurations will remain focused on the bigger fish.

Trusteer managed to capture a Zeus sample that is targeting Ceridian, a Canadian HR and payroll services firm. Once installed on a compromised host, Zeus will capture a screenshot of Ceridian’s client portal, allowing the malware’s controller access to the User ID, Company Number, and the image-based authentication icon. In addition, the keylogging aspect of the malware will ensure that the password is compromised. With this information in hand, the attacker can compromise the account at will.

Trusteer notes that compromises such as this one can be devastating to a company. Last August, criminals walked with more than $200,000 after compromising a system used by the Metropolitan Entertainment & Convention Authority (MECA).

Such scams are expected to increase, Trusteer notes, because enterprise payroll systems offer access to larger sums of cash. Moreover, access to a large organizations payroll system allows the attackers a better chance of funneling money out to mules before any red flags are raised.

Not to mention, there is a good chance that cloud-based payroll systems are able to be accessed with unmanaged mobile devices, allowing the crooks an additional avenue of compromise that could go undetected for some time.

The larger problem however, is one that most companies have no real means to defend against; as it’s out of their control once they use external services.

“By targeting a cloud service provider, the criminals are bypassing tight security mechanisms that are typically employed by medium to large enterprises. In a cloud service provider environment, the enterprise customers who use the service have no control over the vendor’s IT systems and thus little ability to protect their backend financial assets,” said Trusteer’s Amit Klein in a blog post.

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.