Hackers Breach Payroll!!!

October 2009

Hackers last week apparently used stolen account information from a New Jersey company that provides online payroll services to target the firm’s customers in a scheme to steal passwords and other information. Morrestown, New Jersey-based PayChoice provides direct payroll processing services and licenses its online employee payroll management product to at least 240 other payroll processing firms, serving 125,000 organizations. Last Wednesday, a number of PayChoice customers received an e-mail warning them that they needed to download a Web browser plug-in in order to maintain uninterrupted access to onlineemployer.com, the portal for PayChoice’s online payroll service. The supposed plug-in was instead malicious software designed to steal the victim’s user names and passwords. In a statement e-mailed to Security Fix, PayChoice said the company discovered on September 23 that its online systems had been breached. The company said it immediately shut down the onlineemployer.com site and instituted fresh security measures to protect client information, such as requiring users to change their passwords. If successful, PayChoice said, the malicious sites downloaded a Trojan horse program called TrojanDownloader:Win32/Bredolab.X, which according to Microsoft is a malware program that tries to download additional malicious files and disable security software on the infected PC. According to a blogger and security expert who writes the Unixwiz blog and who had several customers who received the malicious e-mails, the malware used in the attack is poorly detected by most anti-virus products on the market today. A PayChoice spokesperson said the company was still investigating the extent of the breach, noting that PayChoice has hired two outside computer forensic experts, and that it is actively working with federal law enforcement investigators.