As regulators push banks to adopt stronger measures to preventfraudsters from breaching their customers' online bank accounts,there are indications that designers of malware have turned theirsights to softer targets, such as corporate payroll systems.

“They're finding the weaker links,” says Avivah Litan, ananalyst at Gartner. “Banks are spending a lot of money onpreventive measures, and regulators have forced them to instituteimprovements. That's not true for payroll providers.”

Trusteer, a provider of software protecting browsers frommalware, reported last week that it had discovered a configurationof Zeus—one of the more ubiquitous strains of malware—that wasdesigned to capture a screenshot of a payroll services page fromCeridian Corp., which provides human resources services tocompanies. Minneapolis-based Ceridian released a statement sayingthat no breach had occurred.

Yishay Yovel, vice president of marketing at Boston-basedTrusteer, notes that Zeus is configured in a number of differentways to enable it to breach different systems and instruct them onhow to perpetrate the fraud. Trusteer's investigative unit found aconfiguration designed specifically to capture a screenshot of theWeb page Ceridian's clients would use to access its payrollservice.

A Ceridian spokesperson says the company has limited opportunityto directly affect its customers' computer systems, which aretargeted by the malware. The company does, however, “offer securityguidance in addition to application and infrastructure levelcontrols,” the spokesperson says.

Fraudsters essentially take a shotgun approach, aiming to infectas many computers as possible in the hope one will be used by ankey corporate executive such as a payroll administrator,allowing Zeus to steal his or her user ID, password, company numberand the icon selected by the user for the image-basedauthentication system. The fraudsters can then open up fakeaccounts and have large sums transferred to them.

Last July, an employee with access to the online payrollaccounts of the Metropolitan Entertainment & ConventionAuthority in Omaha, Neb., opened a malware-infected e-mail thatstole the employee's passwords and other key information andtransferred $217,000 to “mule” accounts. The nonprofit hadreportedly declined security measures offered by its bank, FirstNational Bank of Omaha.

Litan says Zeus's “man-in-the-browser” resides on an infectedcomputer's browser until the opportunity arises to record passwordsand other key information. The malware, she adds, can alreadybreach what are viewed as advanced encryption techniques, such asone-time passwords.

“Most [payroll companies] have security measures they think arestrong, but Zeus figured out how to breach them long ago,” Litansays. “We're starting to see early evidence of cloud serviceattacks, which I think are more common than disclosed.”

Trusteer notes several reasons why malware attacks againstpayroll and other cloud-service providers are likely to continue,including fraudsters' ability to siphon larger sums of money thanthey would get from individual consumers, the traditional targetfor malware, and users' ability to access cloud services fromlaptops, home PCs and other devices that are less likely to besecured.

This article was first posted on www.treasuryandrisk.com, asister publication to Credit Union Times.