Latest Malware Target: Cloud-Based Payroll Services

The security firm Trusteer has found Zeus-based malware that focuses on cloud payroll service providers and routes funds to criminals.

Trusteer reports:

“Our researchers have captured a Zeus configuration that targets Ceridian, a Canadian human resources and payroll solutions provider. In this attack, Zeus captures a screenshot of a Ceridian payroll services web page (https://clients.powerpay.ca/powerpay/Logon*) when a corporate user whose machine is infected with the Trojan visits this website. This allows Zeus to steal the user id, password, company number and the icon selected by the user for the image-based authentication system.”

The potential payoff for criminals here is huge because it allows them to operate on wholesale rather than retail level, stealing from masses of people instead of individuals. In August of last year, crooks stole $217,000 from the Metropolitan Entertainment & Convention Authority in Omaha, Neb.

Cloud service providers are a tempting target because they offer a way around the heavy-duty security systems used by larger organization. The service’s customers have no control over the provider’s IT systems and don’t have any way to directly monitor security. Cloud services in general appeal to the bad guys because they can be accessed using unmanaged devices which are usually less secure and easier to infect with malware.

As Trusteer’s Amit Klein notes, “Attacks like this one are surgical in nature and use targeted reconnaissance combined with signature detection evasion techniques to get a foothold inside corporate computers.” Because they are so unique the usual antivirus systems don’t detect and stop them.

One solution would be not using cloud-based systems. But we all know that ain’t happening. Those systems do some really, really useful stuff. Instead, IT security folks need to make sure management knows of this risk and provides you with resources to monitor all service providers’ security.