New ZeuS-based Trojan leeches cash from cloud-based payrolls
Adds phishing mules to employee roster
Cybercrooks have forged a ZeuS-based Trojan that targets cloud-based payroll service providers.
ZeuS, a favourite tool for financially motivated cybercrooks, has provided a straightforward way to harvest online banking credentials for years. A new attack, detected by transaction security firm Trusteer, shows that crooks are going up the food chain.
Trusteer researchers have captured a ZeuS configuration that targets Ceridian, a Canadian human resources and payroll services provider. The ZeuS-based Trojan works by capturing a screenshot of the payroll services web page when a malware-infected PC is used to visit the site. This information is uploaded, allowing crooks to obtain the user ID, password, company number and the icon selected by the user for the image-based authentication system – enough information to siphon funds from compromised accounts into those controlled by money mules, as explained in a blog post here.
Trusteer reckons crooks are targeting the small cloud service provider in order to get around the tougher problem of how to bypass industrial strength security controls that are typically maintained by larger businesses. Cloud services can be accessed using unmanaged devices that are typically less secure and more vulnerable to infection by ZeuS-style financial malware.
The financial losses associated with this type of attack are potentially huge. For example, last August cyberthieves reportedly stole $217,000 from the Metropolitan Entertainment & Convention Authority (MECA) after compromising its payroll system and adding money mules as employees. A MECA worker reportedly fell for a phishing email that allowed crooks to steal access credentials to the organisation's payroll system.
Hitting payroll providers is certainly far more lucrative than targeting individual consumers, according to Trusteer, which predicts a growth in this type of attack as a result. ®
...when I saw the title of this little article, I said to myself "I bet it's bloody Trusteer trying to push more of their unnecessary shiteware again".
Hey, guess what? I was right. Any ZeuS/bank phishing scare story always seems to come straight from the Trusteer PR desk.
Sorry guys, but I decide what AV, firewall, IDS and other security software I use. And you're not it, even though you're trying to get most of my current banks to push your crap in my direction at every available opportunity.
In spite of their name, I just don't trust those jokers at all. If they spent more of their time and effort actually developing a decent product that competes in the open market, rather than sucking up to the banks to persuade them to foist this crap onto us and then dropping a monthly/bi-monthly ZeuS scare story out of their corporate-wannabe PR-sehole, maybe I'd think differently. But until then, I wish they'd just bugger off.
"siphon funds from compromised accounts"
The whole concept of delegating total control of your accounts to some trusted provider - and then expecting this process to somehow not be a huge, vulnerable target for crooks that are much cleverer than your beancounters - seems a bit touched in the head to me. The least you could do is reconcile the payroll transaction batch against your *internal* employee records at the end of the month, for such a sensitive process. Humans, browsers and websites are the diabolical trinity for secure processes.
It would help if the people handling the payroll
weren't prone to click on the malware links. Frankly I'm not convinced ANY hardware can prevent compromise when the wetware doesn't take appropriate precautions to protect the cash flow.