Targeted e-mails distribute malware in PayChoice breach

E-mails included names and partial passwords and directed people to a Web site or download software that dumped a Trojan on their computers for stealing data and disabling security software.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

Payroll processor PayChoice said Thursday it is investigating a breach in which customers received targeted e-mails purporting to be from the company but were designed to trick people into downloading malware.

Workers received e-mails last week that directed them to download a browser plug-in or visit a Web site so they could continue accessing the Onlineemployer.com PayChoice portal. Malware in the download and on the Web site turned out to exploit holes in Internet Explorer, Adobe Flash, and Adobe Reader, PayChoice said.

The e-mails were targeted to individuals and included their user names, login IDs, and partial passwords, thus increasing the chance that recipients would be likely to fall for the ruse.

In a statement, PayChoice did not say how many people received the e-mails but said most of the employees served by PayChoice do not use the portal. PayChoice, based in Moorestown, N.J., provides payroll software and services to 125,000 businesses.

"Within hours of the attack, the company notified its clients, shut down the site www.onlineemployer.com and deployed further security measures to protect client information before restoring access to the system," the company said in the statement. "PayChoice also immediately notified the authorities and is working with federal law enforcement to find those responsible."

The company confirmed a report on The Washington Post's Security Fix blog that the malware downloaded a Trojan horse dubbed "Bredolab," which tries to put additional malicious files on the system and to disable host-based intrusion prevention sytems, according to Microsoft's Malware Protection Center.

"PayChoice discovered a security breach in its online system on Wednesday, September 23, 2009," PayChoice Chief Executive Robert Digby said in an earlier statement. "We are handling this incident with the highest level of attention as well as concern for our clients, software customers and the employees they serve."

The company has hired two forensic experts to investigate the breach, Digby said.

The e-mail was sent through Yahoo's Web email service and the Web sites linked to in the emails were hosted on servers in Poland, according to an e-mail PayChoice sent to customers after the incident that was obtained by Security Fix.

The PayChoice portal displays this warning about the social engineering e-mail. OnlineEmployer.com