New Zeus variant targets billing services providers

Share this article:

The infamous Zeus banking trojan has been reconfigured, and its new scheme targets users of cloud-based billing companies, instead of banks.

Researchers at security firm Trusteer have discovered a new variant of the data-stealing malware, which typically is used by criminals to lift banking credentials that they use to access corporate accounts and wire themselves money, according to a blog post on Tuesday. The new configuration, however, is affecting customers of cloud billing services providers like Ceridian, a Canadian human resources and payroll solutions provider.

“What we see here is its attempt to go into different fields,” Yishay Yovel, vice president of marketing at Trusteer, told SCMagazine.com on Wednesday.

Once a user's machine is infected, the malware is able to take a screenshot of the Ceridian payroll services web page, said Amit Klein, CTO at Trusteer.

“This allows Zeus to steal the user ID, password, company number and the icon selected by the user for the image-based authentication system,” he wrote.

By setting their sights on business payroll systems, miscreants are able to funnel larger amounts of money than if they targeted bank accounts. With the valid credentials to access an organization's payroll system, the crooks can add fake employees and designate them to receive cash.

As enterprises are trending toward the cloud for their services, cyber criminals are continuously crafting new ways to siphon money, Yovel said.

He added that blame should not be put on the service providers.

“The user systems are compromised, not the banks or the cloud services,” he said. “Ultimately, financial fraud occurs.”

And despite Microsoft recently announcing a major takedown effort against Zeus' command-and-control structure, the malware appears to be living on.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.