By ZeuS, the cloud is a Trojan target

Trojan virus within binary code
(Image credit: Shutterstock)

Just the other day I was pondering the inappropriate use of the word 'security' when talking about the cloud, and concluded that without some degree of granular definition the term becomes redundant at best and misleading at worst. If you want specifics though, by ZeuS it looks like I may have got some.

If you are into mythology then no doubt to you Zeus is the Greek God of the sky and ruler of the Olympian Gods. If you are into IT security, however, ZeuS is the banking malware application of the moment and has been for a couple of years now. So what has some old hat Trojan got to do with the brave new world of cloud applications? Simples: a new Zeus-based threat is specifically targeting payroll service providers based in the cloud. This represents something of a sea change as far as the ZeuS-equipped bad guys are concerned.

Up until now, the cybercrims have taken the relatively easy and lazy methodology to amass Zeus-inspired riches by aiming the various variants squarely at the end user: man-in-the-middle and form grabbing attacks on bank customers have proven to be quite profitable indeed, thank you very much. All that has changed with the arrival of this new variant though, moving away from users to providers and looking to the smaller cloud services as the easiest route to get there.

Researchers at the transaction security specialist Trusteer have uncovered a ZeuS variant that has been targeting a payroll service provider called Ceridian Canada using infected PCs to capture screenshots of payroll web pages and scraping the sensitive user ID, password, authentication image and company data from them. This data can then be used to defraud corporate bank accounts by adding false employee details to the payroll and watch as the money is paid out to those fake staff accounts.

It's not really surprising that the gangs behind the ZeuS attacks have starting to transition from end-user to enterprise payroll provider in such a way. After all, they are motivated by greed and there is much more money to be made by infiltrating the corporate payroll platform than by nibbling away at meagre consumer bank account balances.

In fact, it's something of a win-win for the criminals, as this kind of payroll data manipulation can result in successful fraudulent transactions happening and money being siphoned off to their mules long before any hint of impropriety can be noticed.

So why the cloud? Well that's simplest of all to answer: larger enterprises, especially in the financial services sector, are protected by some pretty heavyweight security tech these days. By looking at the smaller end of the cloud provision spectrum they are sadly much more likely to find an easy way in. "In a cloud service provider environment, the enterprise customers who use the service have no control over the vendor’s IT systems" warns Trusteer CTO Amit Klein "and thus little ability to protect their back end financial assets." Throw in the use of unmanaged devices that are easily infected by ZeuS to access these cloud services, and it's a real recipe for disaster.

Getting back to where this all started though, and that's with being careful how you define security in the cloud, I do have to question whether this is really a cloud-security issue or just a general data security one.

Think about it logically: the cloud provider is at the end of the food chain here, and the end user device is at the start. If that end user device were not infected by a ZeuS Trojan in the first place then the cloud-based compromise could never have taken place. It's all about a layered approach to security, to getting the basics right and concentrating more on protecting your data than piddling around with platform politics.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.