New variant of Zeus targets logins for cloud-based systems

Share this article:

A new variation of the Zeus banking Trojan has been detected, targeting users of cloud-based billing companies.

Researchers at Trusteer said that the new variant of the data-stealing malware affects customers of cloud billing service providers such as Ceridian, a Canadian human resources and payroll firm.

Trusteer's Amit Klein said: “These attacks are designed to route funds to criminals, and bypass industrial-strength security controls maintained by larger businesses. In the attack on Ceridian, Zeus captures a screenshot of a Ceridian payroll services web page when a corporate user (whose machine is infected with the Trojan) visits this website. This allows Zeus to steal the user ID, password, company number and the icon selected by the user for the image-based authentication system.”

It claimed that this type of attack saw the Metropolitan Entertainment & Convention Authority lose $217,000 last year after an employee was targeted by a phishing email and infected with malware that stole access credentials to the organisation's payroll system.

Trusteer said this would become more prevalent because targeting enterprise payroll systems allows an attacker to gain more money than from a person; this would also not raise many red flags as valid login credentials are used and, by targeting a cloud service provider, the enterprise customers who use the service have no control over the vendor's IT systems and thus little ability to protect their backend financial assets.

It also said that cloud services can be accessed using unmanaged devices that are typically less secure and more vulnerable to infection by financial malware, such us Zeus.

Yishay Yovel, vice-president of marketing at Trusteer, told SC Magazine US that this is an attempt to go into different fields as enterprises are trending toward the cloud for their services.

However, he said that blame should not be put on the service providers: “The user systems are compromised, not the banks or the cloud services. Ultimately, financial fraud occurs.”

Last month, Microsoft was able to disrupt command and control servers used by Zeus, but warnings were made that the threat had not gone altogether.

There were also suggestions this week that the creator of the SpyEye Trojan had died recently; a tweet by internet security research firm Team Cymru said the co-author of the malware ‘Krabz' had died of an overdose three weeks ago. It was rumoured that Zeus and SpyEye had merged in 2010.

Share this article: