Threat Management, Malware

New Zeus variant targets billing services providers

The infamous Zeus banking trojan has been reconfigured, and its new scheme targets users of cloud-based billing companies, instead of banks.

Researchers at security firm Trusteer have discovered a new variant of the data-stealing malware, which typically is used by criminals to lift banking credentials that they use to access corporate accounts and wire themselves money, according to a blog post on Tuesday. The new configuration, however, is affecting customers of cloud billing services providers like Ceridian, a Canadian human resources and payroll solutions provider.

“What we see here is its attempt to go into different fields,” Yishay Yovel, vice president of marketing at Trusteer, told SCMagazine.com on Wednesday.

Once a user's machine is infected, the malware is able to take a screenshot of the Ceridian payroll services web page, said Amit Klein, CTO at Trusteer.

“This allows Zeus to steal the user ID, password, company number and the icon selected by the user for the image-based authentication system,” he wrote.

By setting their sights on business payroll systems, miscreants are able to funnel larger amounts of money than if they targeted bank accounts. With the valid credentials to access an organization's payroll system, the crooks can add fake employees and designate them to receive cash.

As enterprises are trending toward the cloud for their services, cyber criminals are continuously crafting new ways to siphon money, Yovel said.

He added that blame should not be put on the service providers.

“The user systems are compromised, not the banks or the cloud services,” he said. “Ultimately, financial fraud occurs.”

And despite Microsoft recently announcing a major takedown effort against Zeus' command-and-control structure, the malware appears to be living on.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.