Zeus Trojan Takes Aim at Cloud Payroll Services

Thursday, April 12, 2012



Security firm Trusteer is reporting the discovery of a Zeus Trojan operation that is targeting Ceridian, a Canadian provider of cloud-based payroll services.

"We have discovered a Zeus attack that focuses on cloud payroll service providers. These attacks are designed to route funds to criminals, and bypass industrial strength security controls maintained by larger businesses," writes Trusteer's

The Zeus Trojan is widely hailed as one of the most dangerous pieces of malware to ever surface in the wild, and the malicious code continues to spread.

The Zeus Trojan can lay dormant for long periods until the user of the infected machine accesses targeted information, like banking accounts. Zeus then harvests passwords and authentication codes.

While Zeus was previously been used to pilfer the payroll portal of the Metropolitan Entertainment & Convention Authority (MECA) last year, this latest operation is the first instance of the malware being utilized to specifically target a managed service payroll provider.

"Zeus captures a screenshot of a Ceridian payroll services web page when a corporate user whose machine is infected with the Trojan visits this website. This allows Zeus to steal the user id, password, company number and the icon selected by the user for the image-based authentication system,"

Trusteer predicts that similar attacks against cloud-based vendors will likely increase in the near future, as the attacks offer criminals the potential to steal larger sums of money in a shorter period of time before being discovered, and the clients of these services have little insight into or control over security protocols.

"By targeting a cloud service provider, the criminals are bypassing tight security mechanisms that are typically employed by medium to large enterprises. In a cloud service provider environment, the enterprise customers who use the service have no control over the vendor’s IT systems and thus little ability to protect their backend financial assets... [and] cloud services can be accessed using unmanaged devices that are typically less secure and more vulnerable to infection by financial malware,"

against these sorts of targeted attacks is extremely difficult, and that the best possible strategy is the application of layered defenses.

Unfortunately, traditional antivirus security mechanisms are largely unable to protect corporate users from becoming infected with Zeus. That’s because attacks like this one are surgical in nature and use targeted reconnaissance combined with signature detection evasion techniques to get a foothold inside corporate computers."

Trusteer had also recently reported that a survey revealed an increasing number of websites are now known to host Zeus variants. The report also shows that a growing number of networks are hosting command and control (C&C) operations for Zeus-based botnets.

Of even greater concern are newer variants of Zeus which do not depend on C&C servers to receive commands and updates, but instead share data with one another, and these variants are becoming ever more present.

Last fall, Swiss security expert Roman Hssy has discovered these variants of the Zeus Trojan that have a newly added peer-to-peer (P2P) functionality, making the malware more resistant to mitigation efforts.

The Trojan still only receives command and control information from one domain at a time, allowing mitigation by blocking the control domain until the malware updates with a new command and control via the P2P functionality, a method called "sinkholing".

Source:  http://www.trusteer.com/blog/zeus-targets-cloud-payroll-service-siphon-money-enterprises

Possibly Related Articles:
Viruses & Malware
Trojans Cloud Security malware Botnets Cyber Crime Managed Services Zeus Headlines Ceridian vendors Trusteer
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.