New Zeus variant targets billing services providers

Share this article:

The infamous Zeus banking trojan has been reconfigured, and its new scheme targets users of cloud-based billing companies, instead of banks.

Researchers at security firm Trusteer have discovered a new variant of the data-stealing malware, which typically is used by criminals to lift banking credentials that they use to access corporate accounts and wire themselves money, according to a blog post on Tuesday. The new configuration, however, is affecting customers of cloud billing services providers like Ceridian, a Canadian human resources and payroll solutions provider.

“What we see here is its attempt to go into different fields,” Yishay Yovel, vice president of marketing at Trusteer, told SCMagazine.com on Wednesday.

Once a user's machine is infected, the malware is able to take a screenshot of the Ceridian payroll services web page, said Amit Klein, CTO at Trusteer.

“This allows Zeus to steal the user ID, password, company number and the icon selected by the user for the image-based authentication system,” he wrote.

By setting their sights on business payroll systems, miscreants are able to funnel larger amounts of money than if they targeted bank accounts. With the valid credentials to access an organization's payroll system, the crooks can add fake employees and designate them to receive cash.

As enterprises are trending toward the cloud for their services, cyber criminals are continuously crafting new ways to siphon money, Yovel said.

He added that blame should not be put on the service providers.

“The user systems are compromised, not the banks or the cloud services,” he said. “Ultimately, financial fraud occurs.”

And despite Microsoft recently announcing a major takedown effort against Zeus' command-and-control structure, the malware appears to be living on.

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.