New Zeus variant targets billing services providers

Share this article:

The infamous Zeus banking trojan has been reconfigured, and its new scheme targets users of cloud-based billing companies, instead of banks.

Researchers at security firm Trusteer have discovered a new variant of the data-stealing malware, which typically is used by criminals to lift banking credentials that they use to access corporate accounts and wire themselves money, according to a blog post on Tuesday. The new configuration, however, is affecting customers of cloud billing services providers like Ceridian, a Canadian human resources and payroll solutions provider.

“What we see here is its attempt to go into different fields,” Yishay Yovel, vice president of marketing at Trusteer, told SCMagazine.com on Wednesday.

Once a user's machine is infected, the malware is able to take a screenshot of the Ceridian payroll services web page, said Amit Klein, CTO at Trusteer.

“This allows Zeus to steal the user ID, password, company number and the icon selected by the user for the image-based authentication system,” he wrote.

By setting their sights on business payroll systems, miscreants are able to funnel larger amounts of money than if they targeted bank accounts. With the valid credentials to access an organization's payroll system, the crooks can add fake employees and designate them to receive cash.

As enterprises are trending toward the cloud for their services, cyber criminals are continuously crafting new ways to siphon money, Yovel said.

He added that blame should not be put on the service providers.

“The user systems are compromised, not the banks or the cloud services,” he said. “Ultimately, financial fraud occurs.”

And despite Microsoft recently announcing a major takedown effort against Zeus' command-and-control structure, the malware appears to be living on.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.