Hackers recently launched a sophisticated scam in which they breached a payroll services vendor and used the information obtained to craft targeted messages aimed at getting customers to download an information stealing trojan.
PayChoice, which provides payroll services and technology to 125,000 small and mid-market U.S. companies, discovered on Wednesday that its online system had been breached, Robert Digby, CEO of PayChoice, said in an email statement sent to SCMagazineUS.com on Thursday.
“We are handling this incident with the highest level of attention as well as concern for our clients, software customers and the employees they serve,” Digby said in the statement. “We immediately shut down the online system and instituted fresh security measures to protect client information before starting it up again.”
Digby added that the company is working with two outside forensic experts and federal law enforcement to investigate the intrusion and determine the scope of the breach.
Hackers were able to obtain email addresses of PayChoice customers, along with login IDs and passwords to PayChoice’s Online Employer portal, according to the Washington Post, which first reported the breach. Attackers used the information they obtained to send targeted messages seemingly coming from the payroll services vendor, notifying users that they must download a web browser plug-in to access the Online Employer portal.
Adding legitimacy to the attack, the fraudulent messages contained the user’s name, PayChoice Online Employer user ID, and part of his or her password.
The messages contained a link to a malicious site that, if visited, attempted to exploit vulnerabilities in Internet Explorer, Adobe Flash and Reader, which downloaded a trojan called TrojanDownloader:Win32/Bredolab.X, according to the Washington Post, citing emails PayChoice sent to affected customers in response to the breach.
Chris Wysopal, CTO of application security vendor Veracode, told SCMagazineUS.com on Thursday that the goal of the attack was to infect small business end-users with the trojan, then obtain the company’s online banking credentials.
“The trojan allowed them to record any usernames and passwords on that [compromised] system,” Wysopal said.
PayChoices customers were a fertile attack base because employees who log into their company’s online payroll services account also likely log into the business’ online banking account, Wysopal said.
“If they are successful in only a few cases this could be quite lucrative to them,” he said.