In a somewhat unusual data breach, hackers recently stole the login credentials of an unknown number of customers of payroll processing company PayChoice Inc., and then attempted to use the data to steal additional information directly from the customers themselves.
The breach, first reported by the Washington Post this week, took place on Sept. 23 and involved PayChoice’s onlineemployer.com portal site. Hackers broke into the site and managed to access the real legal name, username and the partially masked passwords used by customers to log into the site.
They then used the information to send very realistic looking phishing e-mails to PayChoice’s customers directing them to download a Web browser plug-in to be able to continue using the onlineemployer.com service. Each of the messages addressed people by their real names and contained their real username and passwords (partially masked), which had been harvested earlier from PayChoice.
Users who clicked on the link to download the plug-in instead got infected with a username and password stealing Trojan.
It is not immediately clear how many customers might have actually clicked on the malicious link.
PayChoice, based in Moorestown, N.J, proivides payroll processing services and technology. The company bills itself as the “national leader” in the payroll services and software industry and claims over 125,000 business customers.
In an e-mail statement to Computerworld, PayChoice said today it discovered the security breach in its online system last Wednesday.
“We are handling this incident with the highest level of attention as well as concern for our clients, software customers and the employees they serve,” CEO Robert Digby said in the statement. Once the company discovered the breach, it immediately shut down the online system and instituted “fresh measures” to protect client information, the statement said.
The company has also engaged two outside forensic experts to help figure out the full scope of the intrusion. “PayChoice is determined to find the cause and extent of the breach and to take further measures to prevent a future occurrence,” Digby said.
Steve Friedl, an independent security consultant, said he first heard of the breach last Thursday when a PayChoice customer informed him. At this point, it is not clear what other information the hackers might have gotten access to, said Friedl who consults for a rival payroll services firm.
But it appears very likely that the only data the hackers accessed was the information they included in the fake e-mails that PayChoice’s customers received, said Friedl, who wrote about the incident in his blog.
If hackers had in fact accessed on more data, it is highly unlikely that they would have resorted to sending out those additional e-mails to PayChoice’s customers, and thereby running the risk of being exposed, he said.
Friedl said the links in the phishing e-mails were to Websites hosted at Yahoo. The malware itself was a password-stealing Trojan that was designed to send the stolen information to a Web server in Sweden.
The relatively poor English in the e-mails appear to indicate that those behind the attack were from outside the country, he said.
Chris Wysopal, chief technology officer at application security vendor Veracode Inc., said the breach is interesting because it shows that hackers are looking for targets other than credit card numbers and social security numbers to steal.
“The market is saturated with [stolen] credit card data,” Wysopal said. A credit card record that was worth $10 in the underground in 2007 today can be had for about 50 cents, he said.
As a result cybercrooks looking to monetize what they are doing are moving up to higher value attacks where possible, he said.
In this case, the hackers appear to have been trying to install keystroke loggers to get information that would have allowed then to access online banking accounts of PayChoice’s customers, he said. “That is where they would have got tens of thousands of dollars,” had they been able to pull it off.
An online payroll service company such as PayChoice presents a “huge attack surface” to those looking for ways to compromise it, Wysopal said. “An application like that, which is exposed to the Internet, is susceptible to SQL injection, cross-site scripting,” and numerous other Web application attacks, he said.
