There is a new Zeus Trojan variant that is targeting the Canadian human resources and payroll service provider, Ceridian.
The attack mixes malware infection with social engineering. Trusteer’s Amit Klein explains that Zeus takes a screenshot of Ceridian’s log-in, then, when a user with an infected machine attempts to log-in to the Ceridian website, Zeus steals that user’s ID, password, company identification number, and an icon used as part of a secondary, image-based authentication system.
These sorts of attacks can be quite lucrative, and going forward, Klein believes they will be increasingly commonplace. For one, there is a lot more money in targeting enterprise payroll systems than there is in targeting individuals. Secondly, because the criminals are working with legit login credentials, they can easily transfer money around without raising any red flags. Finally, Klein writes that cloud service providers are generally less secure because they can be remotely accessed by unmanaged devices, and because enterprise customers who use the service have no control over the vendor’s IT systems.
Particularly problematic is the unlikelihood that traditional anti-virus solutions will be able to prevent Zeus campaigns like this one.
“That’s because attacks like this one are surgical in nature and use targeted reconnaissance combined with signature detection evasion techniques to get a foothold inside corporate computers,” writes Klein.
The only real way to prevent this and other similar attacks, according to Trusteer, is to keep malware off enterprise machines in the first place, which is easier said than done.