Payroll Processor Hacked Twice in a Single Month

The online system of a large U.S. payroll processing company was attacked by hackers for the second time in a few weeks. Stolen credentials were used to create fake employees for companies in an attempt to siphon out funds out of their accounts.

Onlineemployer.com, an online system belonging to PayChoice, one of the largest payroll processors in U.S., was taken offline due to a security breach last Thursday. The attack occurred on October 14 and was the second of its kind in less than a month.

At the end of September, we reported that PayChoice was hit by cybercriminals who managed to steal customer names, email addresses, login IDs and partial passwords. The company announced that computer forensic experts were called in to investigate the incident.

Subsequently, some of the 125,000 organizations and business partners that use the company's online system to process payrolls have reportedly received phishing emails. The messages advertised a link allegedly pointing to a PayChoice-sanctioned browser toolbar.

The Web page actually contained an exploit cocktail that attempted to infect computers with an information stealing trojan. In order to make the scheme more credible, the attackers incorporated the stolen account information into the phishing emails.

It seems that last week's new attack made use of compromised accounts. "After investigation, we determined that valid user credentials for an Online Employer user were used in an unauthorized manner to add these fictitious employees in an attempt to have payments made to fraudulent bank accounts," an e-mail sent by the company to its customers on Thursday reads.

The online system has since been re-opened, but the "password reset" function has been temporarily disabled. Apparently, a vulnerability was identified in this component, which represented a "key mechanism" in the latest attack. "PayChoice reopened the site with limited functions as it continues to tighten the security based on forensic findings from Wednesday's attack," Robert Digby, PayChoice's chief executive officer, told Security Fix.