Thursday, October 1, 2009
Hackers Breach Payroll Giant, Target Customers
Morrestown, N.J. based PayChoice, provides direct payroll processing services and licenses its online employee payroll management product to at least 240 other payroll processing firms, serving 125,000 organizations.
Last Wednesday, a number of PayChoice customers received an e-mail warning them that they needed to download a Web browser plug-in in order to maintain uninterrupted access to onlineemployer.com, the portal for PayChoice's online payroll service. The supposed plug-in was instead malicious software designed to steal the victim's user names and passwords.
Unlike typical so-called "phishing" scams -- which are sent indiscriminately to large numbers of people in the hopes that some percentage of recipients are customers of the targeted institution -- this attack addressed PayChoice customers by name in the body of the message. The missives also included reference to each recipient's onlineemployer.com user name and a portion of his or her password for the site.
In a statement e-mailed to Security Fix, PayChoice said the company discovered on Sept 23 that its online systems had been breached. The company said it immediately shut down the onlineemployer.com site and instituted fresh security measures to protect client information, such as requiring users to change their passwords.
"We are handling this incident with the highest level of attention as well as concern for our clients, software customers and the employees they serve," said PayChoice Chief Executive Robert Digby.
Several PayChoice customers who received the initial scam e-mails shared with Security Fix follow-up correspondence sent by Paychoice to its customers in the wake of the attack.
An Sept. 28 e-mail states: "Our analysis has indicated that the email addresses, Login ID and some valid partial passwords were included in the emails sent to some registered users."
According to the PayChoice e-mails to customers, the fraudulent missives were sent via the free Yahoo! Web mail service -- and directed recipients to either download a malicious file or visit one of several Web sites that were hosted on servers located in Poland. PayChoice told customers that the malware sites linked to in the messages tried to exploit several Web browser security flaws that would enable them to install malicious software, including vulnerabilities in Microsoft's Internet Explorer Web browser and security holes in Adobe Flash and Adobe Reader software applications.
If successful, PayChoice said, the malicious sites downloaded a Trojan horse program called TrojanDownloader:Win32/Bredolab.X, which according to Microsoft is a malware program that tries to download additional malicious files and disable security software on the infected PC.
According to Steve Friedl, a blogger and security expert who writes the Unixwiz blog and who had several customers who received the malicious e-mails, the malware used in the attack is poorly detected by most anti-virus products on the market today: As of last Thursday afternoon, more than a day after the attack began, Friedl said, the malware was detected by just five of the 41 commerical and retail anti-virus scanners in use at virustotal.com (full disclosure: Friedl also consults for a competitor of PayChoice, called Evolution Payroll).
Mike LaPilla, manager of malicious code operations for iDefense, a security firm owned by Mountain View, Calif.-based Verisign Inc., said attacks like the one against PayChoice's customers typically are designed to steal the online banking credentials for individuals that manage corporate payroll accounts.
"In these kinds of attacks, there's a high probability that the fake e-mails will go to someone who has access to their employer's commercial bank account online," LaPilla said.