With critical business services migrating to the cloud, service providers have become a prime target for cyber criminals. In the latest example of financial malware targeting enterprises, we have discovered a Zeus attack that focuses on cloud payroll service providers. These attacks are designed to route funds to criminals and bypass industrial-strength security controls maintained by larger businesses.

Zeus Targets Cloud Payroll

Researchers at Trusteer, an IBM company, have captured a Zeus configuration that targets Ceridian, a Canadian human resources and payroll solutions provider. In this attack, Zeus captures a screenshot of a Ceridian payrolll services Web page when a corporate user whose machine is infected with the Trojan visits the website. This allows Zeus to steal the user ID, password, company number and the icon selected by the user for the image-based authentication system.

The financial losses associated with this type of attack can be significant. Last August, cyber thieves reportedly funneled $217,000 from the Metropolitan Entertainment & Convention Authority (MECA). According to published reports, an employee at MECA was victimized by a phishing email and infected with malware that stole access credentials to the organization’s payroll system.

With valid credentials, the cyber thieves were able to add fictitious employees to the MECA payroll. These money mules, who were hired through work-at-home scams, then received payment transfers from MECA’s bank account, which they sent to the fraudsters.

Why Cyber Crime Is On the Rise

We expect to see increased cyber crime using this type of fraud scheme for the following reasons:

  • First, targeting enterprise payroll systems enables attackers to siphon much larger amounts of money than by targeting individual customers.
  • Second, by stealing the login credentials that belong to enterprise users of these payroll services, fraudsters have everything they need to route payments to money mules without raising red flags. Using these valid credentials, fraudsters can also access personal, corporate and financial data without the need to hack into systems. They leave very little evidence that malicious access is occurring.
  • Third, by targeting a cloud service provider, the criminals are bypassing tight security mechanisms that are typically employed by medium- to large-sized enterprises. In a cloud service provider environment, the enterprise customers who use the service have no control over the vendors’ IT systems; thus, it is hard to protect their back-end financial assets.
  • Fourth, cloud services can be accessed using unmanaged devices that are typically less secure and more vulnerable to infection by financial malware (e.g., Zeus).

Protecting Systems

Unfortunately, traditional antivirus security mechanisms are largely unable to protect corporate users from becoming infected with Zeus. Attacks like this one are surgical in nature and use targeted reconnaissance combined with signature-detection-evasion techniques to get a foothold inside corporate computers.

A better alternative for protecting sensitive cloud payroll, treasury and other financial applications is to prevent malware from getting to the endpoint in the first place. This requires a layered approach to security that looks for specific Crime Logic footprints — not signatures — to prevent malware on an infected machine from stealing login credentials.

For example, Trusteer Rapport prevents malware from installing on a machine and secures communication between the computer and cloud service provider website to prevent common attack methods such as HTML injecting, key logging and screen capturing from grabbing data. This technology can be used to protect other Web-based applications, such as VPNs, CRM and collaboration systems that can be exploited by malware to steal user credentials and breach an enterprise’s security perimeter without being detected.


We have been contacted by Ceridian requesting a clarification of the above blog post. To clarify, we note two items:

First, the Zeus Trojan has been around for several years and targets a multitude of institutions and service providers, including large banks, financial institutions and possibly other payroll data-processing service providers. We take no view as to whether Ceridian is more or less secure than any of its competitors, and we do not consider other cloud payroll services providers in any way immune to such attacks.

Second, the MECA intrusion noted above is an example of the financial losses that can arise from attacks on payroll systems. This is not a direct result of Ceridian having been targeted by a Zeus configuration. Indeed, we understand that MECA is not a Ceridian customer.

More from Fraud Protection

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

How Security Teams Combat Disinformation and Misinformation

“A lie can travel halfway around the world while the truth is still putting on its shoes.” That popular quote is often attributed to Mark Twain. But since we're talking about misinformation and disinformation, you’ll be unsurprised to learn Twain never said that at all. In fact, no one knows who first strung those words together, but the idea that truth spreads slowly while lies spread quickly is at least several hundred years old. The “Twain” quote also serves to…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

New DOJ Team Focuses on Ransomware and Cryptocurrency Crime

While no security officer would rely on this alone, it’s good to know the U.S. Department of Justice is increasing efforts to fight cyber crime. According to a recent address in Munich by Deputy Attorney General Lisa Monaco, new efforts will focus on ransomware and cryptocurrency incidents. This makes sense since the X-Force Threat Intelligence Index 2022 named ransomware as the top attack type in 2021. What exactly is the DOJ doing to improve policing of cryptocurrency and other cyber…