With critical business services migrating to the cloud, service providers have become a prime target for cyber criminals. In the latest example of financial malware targeting enterprises, we have discovered a Zeus attack that focuses on cloud payroll service providers. These attacks are designed to route funds to criminals and bypass industrial-strength security controls maintained by larger businesses.

Zeus Targets Cloud Payroll

Researchers at Trusteer, an IBM company, have captured a Zeus configuration that targets Ceridian, a Canadian human resources and payroll solutions provider. In this attack, Zeus captures a screenshot of a Ceridian payrolll services Web page when a corporate user whose machine is infected with the Trojan visits the website. This allows Zeus to steal the user ID, password, company number and the icon selected by the user for the image-based authentication system.

The financial losses associated with this type of attack can be significant. Last August, cyber thieves reportedly funneled $217,000 from the Metropolitan Entertainment & Convention Authority (MECA). According to published reports, an employee at MECA was victimized by a phishing email and infected with malware that stole access credentials to the organization’s payroll system.

With valid credentials, the cyber thieves were able to add fictitious employees to the MECA payroll. These money mules, who were hired through work-at-home scams, then received payment transfers from MECA’s bank account, which they sent to the fraudsters.

Why Cyber Crime Is On the Rise

We expect to see increased cyber crime using this type of fraud scheme for the following reasons:

  • First, targeting enterprise payroll systems enables attackers to siphon much larger amounts of money than by targeting individual customers.
  • Second, by stealing the login credentials that belong to enterprise users of these payroll services, fraudsters have everything they need to route payments to money mules without raising red flags. Using these valid credentials, fraudsters can also access personal, corporate and financial data without the need to hack into systems. They leave very little evidence that malicious access is occurring.
  • Third, by targeting a cloud service provider, the criminals are bypassing tight security mechanisms that are typically employed by medium- to large-sized enterprises. In a cloud service provider environment, the enterprise customers who use the service have no control over the vendors’ IT systems; thus, it is hard to protect their back-end financial assets.
  • Fourth, cloud services can be accessed using unmanaged devices that are typically less secure and more vulnerable to infection by financial malware (e.g., Zeus).

Protecting Systems

Unfortunately, traditional antivirus security mechanisms are largely unable to protect corporate users from becoming infected with Zeus. Attacks like this one are surgical in nature and use targeted reconnaissance combined with signature-detection-evasion techniques to get a foothold inside corporate computers.

A better alternative for protecting sensitive cloud payroll, treasury and other financial applications is to prevent malware from getting to the endpoint in the first place. This requires a layered approach to security that looks for specific Crime Logic footprints — not signatures — to prevent malware on an infected machine from stealing login credentials.

For example, Trusteer Rapport prevents malware from installing on a machine and secures communication between the computer and cloud service provider website to prevent common attack methods such as HTML injecting, key logging and screen capturing from grabbing data. This technology can be used to protect other Web-based applications, such as VPNs, CRM and collaboration systems that can be exploited by malware to steal user credentials and breach an enterprise’s security perimeter without being detected.

Update

We have been contacted by Ceridian requesting a clarification of the above blog post. To clarify, we note two items:

First, the Zeus Trojan has been around for several years and targets a multitude of institutions and service providers, including large banks, financial institutions and possibly other payroll data-processing service providers. We take no view as to whether Ceridian is more or less secure than any of its competitors, and we do not consider other cloud payroll services providers in any way immune to such attacks.

Second, the MECA intrusion noted above is an example of the financial losses that can arise from attacks on payroll systems. This is not a direct result of Ceridian having been targeted by a Zeus configuration. Indeed, we understand that MECA is not a Ceridian customer.

More from Fraud Protection

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today