Cybercrooks have forged a ZeuS-based Trojan that targets cloud-based payroll service providers. ZeuS, a favourite tool for financially motivated cybercrooks, has provided a straightforward way to harvest online banking credentials for years. A new attack, detected by transaction security firm Trusteer, shows that crooks are …
I assume it also uses a key logger as the password is not visible on the screen? The original article doesn't confirm that.
...when I saw the title of this little article, I said to myself "I bet it's bloody Trusteer trying to push more of their unnecessary shiteware again".
Hey, guess what? I was right. Any ZeuS/bank phishing scare story always seems to come straight from the Trusteer PR desk.
Sorry guys, but I decide what AV, firewall, IDS and other security software I use. And you're not it, even though you're trying to get most of my current banks to push your crap in my direction at every available opportunity.
In spite of their name, I just don't trust those jokers at all. If they spent more of their time and effort actually developing a decent product that competes in the open market, rather than sucking up to the banks to persuade them to foist this crap onto us and then dropping a monthly/bi-monthly ZeuS scare story out of their corporate-wannabe PR-sehole, maybe I'd think differently. But until then, I wish they'd just bugger off.
re: You know.....
One upvote from me on that. I wouldn't trust them any further than I can throw an elephant.
It would help if the people handling the payroll
weren't prone to click on the malware links. Frankly I'm not convinced ANY hardware can prevent compromise when the wetware doesn't take appropriate precautions to protect the cash flow.
"siphon funds from compromised accounts"
The whole concept of delegating total control of your accounts to some trusted provider - and then expecting this process to somehow not be a huge, vulnerable target for crooks that are much cleverer than your beancounters - seems a bit touched in the head to me. The least you could do is reconcile the payroll transaction batch against your *internal* employee records at the end of the month, for such a sensitive process. Humans, browsers and websites are the diabolical trinity for secure processes.
I would really, really like to know which companies have been affected by this issue - so as to make sure I never, ever work with them.
Putting payrolls on a cloud ? There isn't a company I know that would do that. Payroll is the one thing that is even more important and secured than even customer lists or industrial secrets. You never hear of anything coming out of a proper HR department, those people are tombs when it comes to communication.
So, payrolls in the cloud ? Come on, tell me who, I practically dare you to justify that statement.