Payroll services firm PayChoice breached

Share this article:
Hackers recently launched a sophisticated scam in which they breached a payroll services vendor and used the information obtained to craft targeted messages aimed at getting customers to download an information stealing trojan.

PayChoice, which provides payroll services and technology to 125,000 small and mid-market U.S. companies, discovered on Wednesday that its online system had been breached, Robert Digby, CEO of PayChoice, said in an email statement sent to on Thursday.

“We are handling this incident with the highest level of attention as well as concern for our clients, software customers and the employees they serve,” Digby said in the statement. “We immediately shut down the online system and instituted fresh security measures to protect client information before starting it up again.”

Digby added that the company is working with two outside forensic experts and federal law enforcement to investigate the intrusion and determine the scope of the breach. 

 Hackers were able to obtain email addresses of PayChoice customers, along with login IDs and passwords to PayChoice's Online Employer portal, according to the Washington Post, which first reported the breach. Attackers used the information they obtained to send targeted messages seemingly coming from the payroll services vendor, notifying users that they must download a web browser plug-in to access the Online Employer portal.

Adding legitimacy to the attack, the fraudulent messages contained the user's name, PayChoice Online Employer user ID, and part of his or her password.

The messages contained a link to a malicious site that, if visited, attempted to exploit vulnerabilities in Internet Explorer, Adobe Flash and Reader, which downloaded a trojan called TrojanDownloader:Win32/Bredolab.X, according to the Washington Post, citing emails PayChoice sent to affected customers in response to the breach. 

Chris Wysopal, CTO of application security vendor Veracode, told on Thursday that the goal of the attack was to infect small business end-users with the trojan, then obtain the company's online banking credentials.

“The trojan allowed them to record any usernames and passwords on that [compromised] system,” Wysopal said.

PayChoices customers were a fertile attack base because employees who log into their company's online payroll services account also likely log into the business' online banking account, Wysopal said.

“If they are successful in only a few cases this could be quite lucrative to them,” he said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.