"In this attack, Zeus captures a screenshot of a Ceridian payroll services web page ... when a corporate user whose machine is infected with the Trojan visits this website," Trusteer's Amit Klein explained in a blog post."This allows Zeus to steal the user id, password, company number and the icon selected by the user for the image-based authentication system."
"In general, the authentication protection measures used by payroll services lag a few years behind those used by online banking websites, Klein said via email," writes Computerworld's Lucian Constantin. "Also, because payroll services can be accessed from anywhere, it's not always necessary for attackers to break into a corporate network to perform fraud, he said. The authentication credentials can be stolen and abused through a laptop that's regularly removed from the enterprise premises."
"Over the past decade, crimeware kits such as Zeus, SpyEye, and Eleonore have offered countless updates that expand the types of online services targeted by the malware," writes Ars Technica's Dan Goodin. "Botnet operators have long used their wares to infiltrate payroll departments of small- and medium-sized businesses. The Zeus malware's ability to attack Ceridian is part of the regular update cycle in the malware black market."