Hackers Breach Payroll Giant, Target Customers
Hackers last week apparently used stolen account information from a New Jersey company that provides online payroll services to target the firm's customers in a scheme to steal passwords and other information.
Moorestown, N.J. based PayChoice, provides direct payroll processing services and licenses its online employee payroll management product to at least 240 other payroll processing firms, serving 125,000 organizations.
Last Wednesday, a number of PayChoice customers received an e-mail warning them that they needed to download a Web browser plug-in in order to maintain uninterrupted access to onlineemployer.com, the portal for PayChoice's online payroll service. The supposed plug-in was instead malicious software designed to steal the victim's user names and passwords.
Unlike typical so-called "phishing" scams -- which are sent indiscriminately to large numbers of people in the hopes that some percentage of recipients are customers of the targeted institution -- this attack addressed PayChoice customers by name in the body of the message. The missives also included reference to each recipient's onlineemployer.com user name and a portion of his or her password for the site.
In a statement e-mailed to Security Fix, PayChoice said the company discovered on Sept 23 that its online systems had been breached. The company said it immediately shut down the onlineemployer.com site and instituted fresh security measures to protect client information, such as requiring users to change their passwords.
"We are handling this incident with the highest level of attention as well as concern for our clients, software customers and the employees they serve," said PayChoice Chief Executive Robert Digby.
Several PayChoice customers who received the initial scam e-mails shared with Security Fix follow-up correspondence sent by Paychoice to its customers in the wake of the attack.
An Sept. 28 e-mail states: "Our analysis has indicated that the email addresses, Login ID and some valid partial passwords were included in the emails sent to some registered users."
According to the PayChoice e-mails to customers, the fraudulent missives were sent via the free Yahoo! Web mail service -- and directed recipients to either download a malicious file or visit one of several Web sites that were hosted on servers located in Poland. PayChoice told customers that the malware sites linked to in the messages tried to exploit several Web browser security flaws that would enable them to install malicious software, including vulnerabilities in Microsoft's Internet Explorer Web browser and security holes in Adobe Flash and Adobe Reader software applications.
If successful, PayChoice said, the malicious sites downloaded a Trojan horse program called TrojanDownloader:Win32/Bredolab.X, which according to Microsoft is a malware program that tries to download additional malicious files and disable security software on the infected PC.
According to Steve Friedl, a blogger and security expert who writes the Unixwiz blog and who had several customers who received the malicious e-mails, the malware used in the attack is poorly detected by most anti-virus products on the market today: As of last Thursday afternoon, more than a day after the attack began, Friedl said, the malware was detected by just five of the 41 commerical and retail anti-virus scanners in use at virustotal.com (full disclosure: Friedl also consults for a competitor of PayChoice, called Evolution Payroll).
Mike LaPilla, manager of malicious code operations for iDefense, a security firm owned by Mountain View, Calif.-based Verisign Inc., said attacks like the one against PayChoice's customers typically are designed to steal the online banking credentials for individuals that manage corporate payroll accounts.
"In these kinds of attacks, there's a high probability that the fake e-mails will go to someone who has access to their employer's commercial bank account online," LaPilla said.
It appears the entire episode was another attempt to spread the infamous "Zeus" Trojan, also known as "Zbot," said Tripp Cox, vice president of engineering at Damballa, an Atlanta based computer security firm.
Cox was not just speaking academically. Several Damballa employees received the malicious e-mails spoofing PayChoice.
Cox said that's because Damballa previously handled its payroll through a company called ChoicePayroll, which in turn licensed the services of PayChoice.
"What I'd like to know is what other information were the attackers able to get after they broke into PayChoice?" Cox said. "For all I know, [the thieves] got my Social Security number and bank account information also."
PayChoice's Digby said the company was still investigating the extent of the breach, noting that PayChoice has hired two outside computer forensic experts, and that it is actively working with federal law enforcement investigators.
September 30, 2009; 9:40 PM ET
Categories: Fraud , Latest Warnings , Safety Tips , Web Fraud 2.0 | Tags: onlineemployer.com, paychoice, zbot, zeus
Save & Share: Previous: Stress Testing Microsoft's Free Anti-virus Offering
Next: DHS Seeking 1,000 Cyber Security Experts
Posted by: bcastner | September 30, 2009 11:18 PM | Report abuse
Posted by: firstname.lastname@example.org | October 1, 2009 2:06 AM | Report abuse
Posted by: BTKrebs | October 1, 2009 7:57 AM | Report abuse
Posted by: DupontJay | October 1, 2009 8:05 AM | Report abuse
Posted by: CMistretta | October 1, 2009 9:42 AM | Report abuse
Posted by: jimjohnd | October 1, 2009 10:17 AM | Report abuse
Posted by: email@example.com | October 1, 2009 10:49 AM | Report abuse
Posted by: KeithBee | October 1, 2009 12:35 PM | Report abuse
Posted by: wiredog | October 1, 2009 1:56 PM | Report abuse
Posted by: mark51 | October 1, 2009 3:06 PM | Report abuse
Posted by: Dermitt | October 1, 2009 4:44 PM | Report abuse
Posted by: craigslsst | October 1, 2009 9:44 PM | Report abuse
Posted by: JBV1 | October 1, 2009 11:37 PM | Report abuse
Posted by: mibrooks27 | October 2, 2009 12:01 AM | Report abuse
Posted by: nebnos | October 2, 2009 9:44 AM | Report abuse
Posted by: bbohanna | October 2, 2009 10:27 AM | Report abuse
Posted by: bbohanna | October 2, 2009 10:30 AM | Report abuse
Posted by: BTKrebs | October 2, 2009 10:40 AM | Report abuse
The comments to this entry are closed.