Zeus targets cloud payroll service to siphon money
With critical business services migrating to the cloud, service providers have become a prime target for cybercriminals. In the latest example of financial malware targeting enterprises, Trusteer has discovered a Zeus attack that focuses on cloud payroll service providers.
These attacks are designed to route funds to criminals, and bypass industrial strength security controls maintained by larger businesses.
Trusteer researchers have captured a Zeus configuration that targets Ceridian, a Canadian human resources and payroll solutions provider. In this attack, Zeus captures a screenshot of a Ceridian payroll services web page when a corporate user whose machine is infected with the Trojan visits this website. This allows Zeus to steal the user id, password, company number and the icon selected by the user for the image-based authentication system.
Ceridian image-based authentication example
The financial losses associated with this type of attack can be significant. In August of last year, cyberthieves reportedly funneled $217,000 from the Metropolitan Entertainment & Convention Authority (MECA). According to published reports an employee at MECA was victimized by a phishing e-mail and infected with malware that stole access credentials to the organization’s payroll system.
With valid credentials, the cyberthieves were able to add fictitious employees to the MECA payroll. These money mules, who were hired through work-at-home scams, then received payment transfers from MECA’s bank account which they sent to the fraudsters.
Trusteer expects to see increased cybercriminal activity using this type of fraud scheme for the following reasons:
First, targeting enterprise payroll systems enables attackers to siphon much larger amounts of money than by targeting individual consumers.
Second, by stealing the login credentials belonging to enterprise users of these payroll services, fraudsters have everything they need to route payments to money mules before raising any red flags. Using these valid credentials fraudsters can also access personal, corporate and financial data without the need to hack into systems, while leaving very little evidence that malicious access is occurring.
Third, by targeting a cloud service provider, the criminals are bypassing tight security mechanisms that are typically employed by medium to large enterprises. In a cloud service provider environment, the enterprise customers who use the service have no control over the vendor’s IT systems and thus little ability to protect their backend financial assets.
Fourth, cloud services can be accessed using unmanaged devices that are typically less secure and more vulnerable to infection by financial malware (e.g. Zeus).
Unfortunately, traditional antivirus security mechanisms are largely unable to protect corporate users from becoming infected with Zeus. That’s because attacks like this one are surgical in nature and use targeted reconnaissance combined with signature detection evasion techniques to get a foothold inside corporate computers.
A better alternative for protecting sensitive cloud payroll, treasury, and other financial applications is to prevent malware from getting onto the endpoint in the first place. This requires a layered approach to security that looks for specific Crime Logic footprints, not signatures, to prevent malware on an infected machine from stealing login credentials.
For example, Trusteer Rapport prevents malware from installing on a machine and secures communication between the computer and cloud service provider website to prevent common attack methods like HTML injection keylogging and screen capturing from grabbing data.
This technology can be used to protect other web-based applications like VPNs, CRM, and collaboration systems that can be exploited by malware to steal user credentials and breach an enterprise’s security perimeter completely undetected.