Network News

X My Profile
View More Activity

Hackers Breach Payroll Giant, Target Customers

Hackers last week apparently used stolen account information from a New Jersey company that provides online payroll services to target the firm's customers in a scheme to steal passwords and other information.

Moorestown, N.J. based PayChoice, provides direct payroll processing services and licenses its online employee payroll management product to at least 240 other payroll processing firms, serving 125,000 organizations.


Last Wednesday, a number of PayChoice customers received an e-mail warning them that they needed to download a Web browser plug-in in order to maintain uninterrupted access to, the portal for PayChoice's online payroll service. The supposed plug-in was instead malicious software designed to steal the victim's user names and passwords.

Unlike typical so-called "phishing" scams -- which are sent indiscriminately to large numbers of people in the hopes that some percentage of recipients are customers of the targeted institution -- this attack addressed PayChoice customers by name in the body of the message. The missives also included reference to each recipient's user name and a portion of his or her password for the site.

In a statement e-mailed to Security Fix, PayChoice said the company discovered on Sept 23 that its online systems had been breached. The company said it immediately shut down the site and instituted fresh security measures to protect client information, such as requiring users to change their passwords.

"We are handling this incident with the highest level of attention as well as concern for our clients, software customers and the employees they serve," said PayChoice Chief Executive Robert Digby.

Several PayChoice customers who received the initial scam e-mails shared with Security Fix follow-up correspondence sent by Paychoice to its customers in the wake of the attack.

An Sept. 28 e-mail states: "Our analysis has indicated that the email addresses, Login ID and some valid partial passwords were included in the emails sent to some registered users."

According to the PayChoice e-mails to customers, the fraudulent missives were sent via the free Yahoo! Web mail service -- and directed recipients to either download a malicious file or visit one of several Web sites that were hosted on servers located in Poland. PayChoice told customers that the malware sites linked to in the messages tried to exploit several Web browser security flaws that would enable them to install malicious software, including vulnerabilities in Microsoft's Internet Explorer Web browser and security holes in Adobe Flash and Adobe Reader software applications.

If successful, PayChoice said, the malicious sites downloaded a Trojan horse program called TrojanDownloader:Win32/Bredolab.X, which according to Microsoft is a malware program that tries to download additional malicious files and disable security software on the infected PC.

According to Steve Friedl, a blogger and security expert who writes the Unixwiz blog and who had several customers who received the malicious e-mails, the malware used in the attack is poorly detected by most anti-virus products on the market today: As of last Thursday afternoon, more than a day after the attack began, Friedl said, the malware was detected by just five of the 41 commerical and retail anti-virus scanners in use at (full disclosure: Friedl also consults for a competitor of PayChoice, called Evolution Payroll).

Mike LaPilla, manager of malicious code operations for iDefense, a security firm owned by Mountain View, Calif.-based Verisign Inc., said attacks like the one against PayChoice's customers typically are designed to steal the online banking credentials for individuals that manage corporate payroll accounts.

"In these kinds of attacks, there's a high probability that the fake e-mails will go to someone who has access to their employer's commercial bank account online," LaPilla said.

It appears the entire episode was another attempt to spread the infamous "Zeus" Trojan, also known as "Zbot," said Tripp Cox, vice president of engineering at Damballa, an Atlanta based computer security firm.

Cox was not just speaking academically. Several Damballa employees received the malicious e-mails spoofing PayChoice.

Cox said that's because Damballa previously handled its payroll through a company called ChoicePayroll, which in turn licensed the services of PayChoice.

"What I'd like to know is what other information were the attackers able to get after they broke into PayChoice?" Cox said. "For all I know, [the thieves] got my Social Security number and bank account information also."

PayChoice's Digby said the company was still investigating the extent of the breach, noting that PayChoice has hired two outside computer forensic experts, and that it is actively working with federal law enforcement investigators.

By Brian Krebs  |  September 30, 2009; 9:40 PM ET
Categories:  Fraud , Latest Warnings , Safety Tips , Web Fraud 2.0  | Tags:, paychoice, zbot, zeus  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Stress Testing Microsoft's Free Anti-virus Offering
Next: DHS Seeking 1,000 Cyber Security Experts


Thanks to Steve Friedl for this heads-up notice.

PayChoice Chief Executive Robert Digby's comments are just amazing -- the company had been told days ahead of his comment of the phising and Zeus attack, all targeted based on obvious previous hacks that revealed detailed company information. Without any customer warning being issued.

At some poing CEOs have to just "get it", that security is a necessary fact of life.

Posted by: bcastner | September 30, 2009 11:18 PM | Report abuse

As of last Thursday afternoon, more than a day after the attack began, Friedl said, the malware was detected by just five of the 41 commerical and retail anti-virus scanners in use at

1. ???

2. ???

3. ???

4. ???

5. ???


Posted by: | October 1, 2009 2:06 AM | Report abuse

Bruce -- You're missing the point: You can't rely on AV to protect you from the latest threats, increasingly. Yes, it's a good line of defense, but it's only a single line of defense. It doesn't matter which five detected it b/c the next piece of malware will likely be detected by a different five.

Posted by: BTKrebs | October 1, 2009 7:57 AM | Report abuse

After decades or of this kind of network attack, you'd think that -- at a minimum -- it would have become a best commercial practice to prevent user-installation of software on financially sensitive computers. But I guess these attacks will need to become even more prevalent before companies wise up.

"Anti-virus" software is a paradigm whose time has long passed; the best, and most feasible solution these days is to not execute un-trusted software. And no amount of user education will prevent them from installing software; you must take away the user's ability to install software.

Posted by: DupontJay | October 1, 2009 8:05 AM | Report abuse

Security begins at home/office. If the user responds inappropriately to email, no matter how valid it appears, a breach is the consequence. A savvy user is the best anti virus software. Consequently the odds are against complete data safety. Large corporations are the most vulnerable since they can be unaware or distracted.

Posted by: CMistretta | October 1, 2009 9:42 AM | Report abuse

These people should be hunted down and eliminated. The 'risk/reward' balance needs to be changed. The only reason they do this is because they know they can get away with it. If our government is going to monitor all of our communications one wold hope they would put a stop to this. The authorities know where this information is going, TAKE OF IT!

Posted by: jimjohnd | October 1, 2009 10:17 AM | Report abuse


I am aware that AV is but a single line of defense, but Julio Canto with the above-referenced group,, that currently runs the 41 AV engines in snooping out submitted files, suggested that while they don't 'rate' AV programs, see:

I always wondered when I saw supposedly 'unbiased' reviews of these programs, if there was a neutral group doing evaluations.

You observation that there may be little consistency in finding the newer ones is noted.

Posted by: | October 1, 2009 10:49 AM | Report abuse

The best defense against this is an educated group of users. As the IT Director of my company, who uses this service and got hit with that attack, I was very proud of my users for remembering the first and second rules: Never click on a link in an email, and never install software from a link in an email! We got hit with multiple versions of this phishing attempt and I'm happy to say none of them worked.

Posted by: KeithBee | October 1, 2009 12:35 PM | Report abuse

"and a portion of his or her password "
How did they get the actual password? Does PayChoice actually store the actual password? I though best practice was to store a hash of the password. That's the way Linux and other Unixes do it.

Posted by: wiredog | October 1, 2009 1:56 PM | Report abuse

@wiredog: "How did they get the actual password? Does PayChoice actually store the actual password? "

Maybe the site was storing actual passwords, to their shame. Or maybe some users had insecure passwords and the hackers were able to look them up via rainbow files.

Posted by: mark51 | October 1, 2009 3:06 PM | Report abuse

I got 5 new passwords today. Each is on paper and worth $20.00. Before you can say groceries, gas and soap; paper or plastic I'll need 5 new passwords.

Posted by: Dermitt | October 1, 2009 4:44 PM | Report abuse

IDIOTS allow theselves to be hacked. SHORTsighted idiots who should be made PERSONALLY liable. IF they were personally liable BET they'd scramble their sorry butts to make 101% certain that NO hacker could prevail.

Posted by: craigslsst | October 1, 2009 9:44 PM | Report abuse

Recently, I've been getting emails from various companies, asking me to click on the "unsubscribe" link if I no longer want to get their emails. Some of them are from companies that I've never done business with. Is this phishing, or some other scam?

Posted by: JBV1 | October 1, 2009 11:37 PM | Report abuse

This is another example of mischief created by H1-B workers. The newest variant is the prg banking trojan. *ALL* versions have eventually been tracked by to gangs in Moscow (Russia) or Mumbai (India) who got their "training" in the U.S. as guest workers.

Posted by: mibrooks27 | October 2, 2009 12:01 AM | Report abuse

"Hackers Breach Payroll Giant, Target Customers" - the title sounds like the Target Corporation was hacked.

Posted by: nebnos | October 2, 2009 9:44 AM | Report abuse

Here's My problem with all this. Being one who had his information breeched, And not knowing "how much" information was stolen (if they got my password, they got everything people...) why hasn't Paychoice, BY LAW, offered indentity theft and credit protection to all those who were affected.

Posted by: bbohanna | October 2, 2009 10:27 AM | Report abuse

On another note, don't you think the phishing scam was nothing more then a lore for the officials. The Database that was stolen has probably been sold 20 times by now, and most good identity theft theives will sit on that information for up to a year before they use it..

Posted by: bbohanna | October 2, 2009 10:30 AM | Report abuse

@bbohana -- you said:

"why hasn't Paychoice, BY LAW, offered indentity theft and credit protection to all those who were affected."

which law are you referring to? i'm not aware of a state or federal law that requires companies that have a breach to offer credit monitoring services. many companies choose to do so as some token to express their regret or shame over the breach, and to keep affected customers from defecting to another competitor.

Posted by: BTKrebs | October 2, 2009 10:40 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company