With critical business services migrating to the cloud, service providers have become a prime target for cyber criminals. In the latest example of financial malware targeting enterprises, we have discovered a Zeus attack that focuses on cloud payroll service providers. These attacks are designed to route funds to criminals and bypass industrial-strength security controls maintained by larger businesses.

Zeus Targets Cloud Payroll

Researchers at Trusteer, an IBM company, have captured a Zeus configuration that targets Ceridian, a Canadian human resources and payroll solutions provider. In this attack, Zeus captures a screenshot of a Ceridian payrolll services Web page when a corporate user whose machine is infected with the Trojan visits the website. This allows Zeus to steal the user ID, password, company number and the icon selected by the user for the image-based authentication system.

The financial losses associated with this type of attack can be significant. Last August, cyber thieves reportedly funneled $217,000 from the Metropolitan Entertainment & Convention Authority (MECA). According to published reports, an employee at MECA was victimized by a phishing email and infected with malware that stole access credentials to the organization’s payroll system.

With valid credentials, the cyber thieves were able to add fictitious employees to the MECA payroll. These money mules, who were hired through work-at-home scams, then received payment transfers from MECA’s bank account, which they sent to the fraudsters.

Why Cyber Crime Is On the Rise

We expect to see increased cyber crime using this type of fraud scheme for the following reasons:

  • First, targeting enterprise payroll systems enables attackers to siphon much larger amounts of money than by targeting individual customers.
  • Second, by stealing the login credentials that belong to enterprise users of these payroll services, fraudsters have everything they need to route payments to money mules without raising red flags. Using these valid credentials, fraudsters can also access personal, corporate and financial data without the need to hack into systems. They leave very little evidence that malicious access is occurring.
  • Third, by targeting a cloud service provider, the criminals are bypassing tight security mechanisms that are typically employed by medium- to large-sized enterprises. In a cloud service provider environment, the enterprise customers who use the service have no control over the vendors’ IT systems; thus, it is hard to protect their back-end financial assets.
  • Fourth, cloud services can be accessed using unmanaged devices that are typically less secure and more vulnerable to infection by financial malware (e.g., Zeus).

Protecting Systems

Unfortunately, traditional antivirus security mechanisms are largely unable to protect corporate users from becoming infected with Zeus. Attacks like this one are surgical in nature and use targeted reconnaissance combined with signature-detection-evasion techniques to get a foothold inside corporate computers.

A better alternative for protecting sensitive cloud payroll, treasury and other financial applications is to prevent malware from getting to the endpoint in the first place. This requires a layered approach to security that looks for specific Crime Logic footprints — not signatures — to prevent malware on an infected machine from stealing login credentials.

For example, Trusteer Rapport prevents malware from installing on a machine and secures communication between the computer and cloud service provider website to prevent common attack methods such as HTML injecting, key logging and screen capturing from grabbing data. This technology can be used to protect other Web-based applications, such as VPNs, CRM and collaboration systems that can be exploited by malware to steal user credentials and breach an enterprise’s security perimeter without being detected.


We have been contacted by Ceridian requesting a clarification of the above blog post. To clarify, we note two items:

First, the Zeus Trojan has been around for several years and targets a multitude of institutions and service providers, including large banks, financial institutions and possibly other payroll data-processing service providers. We take no view as to whether Ceridian is more or less secure than any of its competitors, and we do not consider other cloud payroll services providers in any way immune to such attacks.

Second, the MECA intrusion noted above is an example of the financial losses that can arise from attacks on payroll systems. This is not a direct result of Ceridian having been targeted by a Zeus configuration. Indeed, we understand that MECA is not a Ceridian customer.

More from Fraud Protection

Remote access detection in 2023: Unmasking invisible fraud

3 min read - In the ever-evolving fraud landscape, fraudsters have shifted their tactics from using third-party devices to on-device fraud. Now, users face the rising threat of fraud involving remote access tools (RATs), while banks and fraud detection vendors struggle with new challenges in detecting this invisible threat. Let’s examine the modus operandi of fraudsters, prevalence rates across different regions, classic detection methods and Trusteer’s innovative approach to RAT detection through behavioral analysis. A rising threat As Fraud detection methods become more and…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

What to do about the rise of financial fraud

6 min read - As our lives become increasingly digital, threat actors gain even more avenues of attack. With the average person spending about 400 minutes online, many scammers enjoy a heyday. Old impersonation scams continue to deceive people every day, as con artists and hackers are armed with advanced technologies and sophisticated social engineering tactics. According to the Federal Trade Commission, financial fraud increased by over 30% from 2021 to 2022, with total losses surpassing $8.8 billion. This ever-evolving threat will continue to…