As regulators push banks to adopt stronger measures to prevent fraudsters from breaching their customers’ online bank accounts, there are indications that designers of malware have turned their sights to softer targets, such as corporate payroll systems.

“They’re finding the weaker links,” says Avivah Litan, an analyst at Gartner. “Banks are spending a lot of money on preventive measures, and regulators have forced them to institute improvements. That’s not true for payroll providers.”

Trusteer, a provider of software protecting browsers from malware, reported last week that it had discovered a configuration of Zeus—one of the more ubiquitous strains of malware—that was designed to capture a screenshot of a payroll services page from Ceridian Corp., which provides human resources services to companies. Minneapolis-based Ceridian released a statement saying that no breach had occurred.

Yishay Yovel, vice president of marketing at Boston-based Trusteer, notes that Zeus is configured in a number of different ways to enable it to breach different systems and instruct them on how to perpetrate the fraud. Trusteer’s investigative unit found a configuration designed specifically to capture a screenshot of the Web page Ceridian’s clients would use to access its payroll service.

A Ceridian spokesperson says the company has limited opportunity to directly affect its customers’ computer systems, which are targeted by the malware. The company does, however, “offer security guidance in addition to application and infrastructure level controls,” the spokesperson says.

Fraudsters essentially take a shotgun approach, aiming to infect as many computers as possible in the hope one will be used by an key corporate executive such as a payroll administrator, allowing Zeus to steal his or her user ID, password, company number and the icon selected by the user for the image-based authentication system. The fraudsters can then open up fake accounts and have large sums transferred to them.

Last July, an employee with access to the online payroll accounts of the Metropolitan Entertainment & Convention Authority in Omaha, Neb., opened a malware-infected e-mail that stole the employee’s passwords and other key information and transferred $217,000 to “mule” accounts. The nonprofit had reportedly declined security measures offered by its bank, First National Bank of Omaha.

Litan says Zeus’s “man-in-the-browser” resides on an infected computer’s browser until the opportunity arises to record passwords and other key information. The malware, she adds, can already breach what are viewed as advanced encryption techniques, such as one-time passwords.

“Most [payroll companies] have security measures they think are strong, but Zeus figured out how to breach them long ago,” Litan says. “We’re starting to see early evidence of cloud service attacks, which I think are more common than disclosed.”

Trusteer notes several reasons why malware attacks against payroll and other cloud-service providers are likely to continue, including fraudsters’ ability to siphon larger sums of money than they would get from individual consumers, the traditional target for malware, and users’ ability to access cloud services from laptops, home PCs and other devices that are less likely to be secured.

This article was first posted on, a sister publication to Credit Union Times.