With critical business services migrating to the cloud, service providers have become a prime target for cyber criminals. In the latest example of financial malware targeting enterprises, we have discovered a Zeus attack that focuses on cloud payroll service providers. These attacks are designed to route funds to criminals and bypass industrial-strength security controls maintained by larger businesses.

Zeus Targets Cloud Payroll

Researchers at Trusteer, an IBM company, have captured a Zeus configuration that targets Ceridian, a Canadian human resources and payroll solutions provider. In this attack, Zeus captures a screenshot of a Ceridian payrolll services Web page when a corporate user whose machine is infected with the Trojan visits the website. This allows Zeus to steal the user ID, password, company number and the icon selected by the user for the image-based authentication system.

The financial losses associated with this type of attack can be significant. Last August, cyber thieves reportedly funneled $217,000 from the Metropolitan Entertainment & Convention Authority (MECA). According to published reports, an employee at MECA was victimized by a phishing email and infected with malware that stole access credentials to the organization’s payroll system.

With valid credentials, the cyber thieves were able to add fictitious employees to the MECA payroll. These money mules, who were hired through work-at-home scams, then received payment transfers from MECA’s bank account, which they sent to the fraudsters.

Why Cyber Crime Is On the Rise

We expect to see increased cyber crime using this type of fraud scheme for the following reasons:

  • First, targeting enterprise payroll systems enables attackers to siphon much larger amounts of money than by targeting individual customers.
  • Second, by stealing the login credentials that belong to enterprise users of these payroll services, fraudsters have everything they need to route payments to money mules without raising red flags. Using these valid credentials, fraudsters can also access personal, corporate and financial data without the need to hack into systems. They leave very little evidence that malicious access is occurring.
  • Third, by targeting a cloud service provider, the criminals are bypassing tight security mechanisms that are typically employed by medium- to large-sized enterprises. In a cloud service provider environment, the enterprise customers who use the service have no control over the vendors’ IT systems; thus, it is hard to protect their back-end financial assets.
  • Fourth, cloud services can be accessed using unmanaged devices that are typically less secure and more vulnerable to infection by financial malware (e.g., Zeus).

Protecting Systems

Unfortunately, traditional antivirus security mechanisms are largely unable to protect corporate users from becoming infected with Zeus. Attacks like this one are surgical in nature and use targeted reconnaissance combined with signature-detection-evasion techniques to get a foothold inside corporate computers.

A better alternative for protecting sensitive cloud payroll, treasury and other financial applications is to prevent malware from getting to the endpoint in the first place. This requires a layered approach to security that looks for specific Crime Logic footprints — not signatures — to prevent malware on an infected machine from stealing login credentials.

For example, Trusteer Rapport prevents malware from installing on a machine and secures communication between the computer and cloud service provider website to prevent common attack methods such as HTML injecting, key logging and screen capturing from grabbing data. This technology can be used to protect other Web-based applications, such as VPNs, CRM and collaboration systems that can be exploited by malware to steal user credentials and breach an enterprise’s security perimeter without being detected.


We have been contacted by Ceridian requesting a clarification of the above blog post. To clarify, we note two items:

First, the Zeus Trojan has been around for several years and targets a multitude of institutions and service providers, including large banks, financial institutions and possibly other payroll data-processing service providers. We take no view as to whether Ceridian is more or less secure than any of its competitors, and we do not consider other cloud payroll services providers in any way immune to such attacks.

Second, the MECA intrusion noted above is an example of the financial losses that can arise from attacks on payroll systems. This is not a direct result of Ceridian having been targeted by a Zeus configuration. Indeed, we understand that MECA is not a Ceridian customer.

more from Fraud Protection