Targeted e-mails distribute malware in PayChoice breach

Payroll processor PayChoice said Thursday it is investigating a breach in which customers received targeted e-mails purporting to be from the company but were designed to trick people into downloading malware.

Workers received e-mails last week that directed them to download a browser plug-in or visit a Web site so they could continue accessing the Onlineemployer.com PayChoice portal. Malware in the download and on the Web site turned out to exploit holes in Internet Explorer, Adobe Flash, and Adobe Reader, PayChoice said.

The e-mails were targeted to individuals and included their user names, login IDs, and partial passwords, thus increasing the chance that recipients would be likely to fall for the ruse.

In a statement, PayChoice did not say how many people received the e-mails but said most of the employees served by PayChoice do not use the portal. PayChoice, based in Moorestown, N.J., provides payroll software and services to 125,000 businesses.

"Within hours of the attack, the company notified its clients, shut down the site www.onlineemployer.com and deployed further security measures to protect client information before restoring access to the system," the company said in the statement. "PayChoice also immediately notified the authorities and is working with federal law enforcement to find those responsible."

The company confirmed a report on The Washington Post's Security Fix blog that the malware downloaded a Trojan horse dubbed "Bredolab," which tries to put additional malicious files on the system and to disable host-based intrusion prevention sytems, according to Microsoft's Malware Protection Center.

"PayChoice discovered a security breach in its online system on Wednesday, September 23, 2009," PayChoice Chief Executive Robert Digby said in an earlier statement. "We are handling this incident with the highest level of attention as well as concern for our clients, software customers and the employees they serve."

The company has hired two forensic experts to investigate the breach, Digby said.

The e-mail was sent through Yahoo's Web email service and the Web sites linked to in the emails were hosted on servers in Poland, according to an e-mail PayChoice sent to customers after the incident that was obtained by Security Fix.

The PayChoice portal displays this warning about the social engineering e-mail.

(Credit: OnlineEmployer.com)

[sparrowhyperion]

I think the warning should have been a lot more serious. Just saying that there is no plugin at this time and to disregard the email is not going to get the point across. They should make a strong warning informing the users of the breach, the malware and the rest of it. Otherwise, the users may not understand what has happened, and may not take appropriate action to protect themselves.

[The_Computer_Man]

Agreed, a lot of people, IMHO, would not take that with the urgency that's required. Stating that the links in this email could compromise your account and install malicious software on your computer would seem to better convey the message.

Additionally, this article talks about the emails but what I'm more interested in is the breach. Maybe not much is known as this point but how did the attacker(s) gain access to thousands of email/username/password records?

[42istheanswer]

When are folks going to learn?!?

[winstein]

The problem is not about the users. The problem is that we don't have more secured ways to communicate and to conduct our everyday tasks. It is a shame that all of us have to be on high alert all the time, as we get hundreds if not thousands of e-mail every day. All it takes is a one careless click, and that's it. Even the most experienced users have bad days.

[Marcus Westrup]

I don't think this story is over yet. PayPal does have good security - it is possible that these hackers have found a new angle to exploiting high value sites and PayPal was just the first.

As for the partial passwords found in these emails, I suspect log files were taken from the servers. Although user passwords are normally stored encrypted and protected, Failed logon attempts from clients (perhaps with just one mistake) normally get logged along with the related user ID and IP address. It's uncommon for log files to be encrypted, so they make for an easy target.

[mbenedict]

It was PayChoice which was targeted, not PayPal.

Unlikely the partial passwords came from log files alone. Probably something like a SQL Injection attack on a PayChoice system which stored portal passwords in the clear.

[SergeM256]

Looks like inside job, someone who works in IT and has access to data.

[weegg]

A whole lot of these issues can be eliminated with secureIDs. I have one for my job.

E*Trade uses it.

Hell, even Blizzard has it for their World Of Warcraft logins.

[FCRay]

My company was one of the ones affected. Our employees received the fradulent emails, some of them before they got the email that just said it was sent "in error" and to ignore it. The "Making IT Work" blog has some additional information saying it was an inside job, but I don't know who the sources for the information was. He broke the story last week and it was the first information I found when our employees started calling asking about the emails. I feel they are trying to cover it up.

[setjeff15081947]

Somebody better find the solution to this, or the World-Wide-Web will become the World-Wide-Waste-Land. The only users will be crooks trying to steal from each other.
This is a wonderful portal for exploring whatever turns you on, and I suspect the legitimate uses of The-Web are eclectic. But ... I believe everyone will flee if the "Bad-Guys" mount a successful takeover.
I hope someone out there has the solution, because I'm already restricting my visits to fewer sites; and, as I've read, even these may not be trustworthy.
Anybody ready to take another, harder, look at "The-Ant-Colony-Defense"? Or, would you "Experts" rather just ridicule it?