New variant of Zeus targets logins for cloud-based systems

A new variation of the Zeus banking Trojan has been detected, targeting users of cloud-based billing companies.

Researchers at Trusteer said that the recent variant of the information-stealing malware affects customers of cloud billing service providers inclusive of Ceridian, a Canadian human resources and payroll firm.

Trusteer's Amit Klein said: “These attacks are designed to route funds to criminals, and bypass industrial-strength security controls maintained by larger businesses. Within the attack on Ceridian, Zeus captures a screenshot of a Ceridian payroll services web site when a company user (whose machine is infected with the Trojan) visits this website. This permits Zeus to steal the user ID, password, company number and the icon selected by the user for the picture-based authentication system.”

It claimed that this sort of attack saw the Metropolitan Entertainment & Convention Authority lose $217,000 last year after an employee was targeted by a phishing email and infected with malware that stole access credentials to the organisation's payroll system.

Trusteer said this may become more prevalent because targeting enterprise payroll systems allows an attacker to realize more cash than from someone; this will also not raise many red flags as valid login credentials are used and, by targeting a cloud organisation, the enterprise customers who use the service don't have any control over the vendor's IT systems and thus little ability to guard their backend financial assets.

It also said that cloud services could be accessed using unmanaged devices which are typically less secure and more prone to infection by financial malware, such us Zeus.

Yishay Yovel, vice-president of selling at Trusteer, told SC Magazine US that it's an try and go into different fields as enterprises are trending toward the cloud for his or her services.

However, he said that blame shouldn't be wear the service providers: “The user systems are compromised, not the banks or the cloud services. Ultimately, financial fraud occurs.”

Last month, Microsoft was ready to disrupt command and control servers utilized by Zeus, but warnings were made that the threat had not gone altogether.

There were also suggestions this week that the creator of the SpyEye Trojan had died recently; a tweet by internet security research firm Team Cymru said the co-author of the malware ‘Krabz' had died of an overdose three weeks ago. It was rumoured that Zeus and SpyEye had merged in 2010.