Major Payroll Processing Provider Breached

The breach of an online payroll processing system belonging to a large provider called PayChoice has surfaced after its customers have started receiving targeted malware distribution attacks via email. The attackers are looking to infect the company's clients with an information-stealing trojan after they only succeeded in retrieving incomplete passwords from the database.

The Washington Post reports that PayChoice, a payroll processing provider based in Morrestown, New Jersey, has suffered a security breach on its online system called “Online Employer.” The total number of organizations using PayChoice's services, either directly or through its partners, is around 125,000.

After discovering the breach on September 23, the company immediately shut down the onlineemployer.com website. The extent of the breach is yet to be determined, as contracted computer forensics experts are still analyzing the affected servers. Law enforcement agencies have also been notified and have launched an investigation into the incident.

What's certain at the moment is that the attackers walked off with at least customer names, email addresses, login IDs and incomplete passwords. These pieces of information were later used to launch highly targeted attacks against the company's clients.

The rogue emails that multiple customers reported to have received claim that in order to access the onlineemployer.com website without problems, a special browser plug-in needs to be downloaded and installed. To look credible, the messages referred to customers by name and included their login ID, as well as a part of their password. This trick also exploited the fact that the website was indeed offline and users could not access it.

The emails provided a direct link to malicious malware installers or to fake websites trying to exploit vulnerabilities in popular software. The exploit cocktail targeted holes in older versions of Internet Explorer, Adobe Reader or Flash Player.

The malware dropped on the computers is a trojan downloader called Bredolab, whose purpose is to download and install even more malicious software. It was used in the past to infect computers with rogue antivirus programs, but security experts claim that in this attack, it was probably used to deliver a version of the Zeus banking trojan, which targeted many companies and institutions lately.