Payroll processor PayChoice said Thursday it is investigating a breach in which customers received targeted e-mails purporting to be from the company but were designed to trick people into downloading malware.
Workers received e-mails last week that directed them to download a browser plug-in or visit a Web site so they could continue accessing the Onlineemployer.com PayChoice portal. Malware in the download and on the Web site turned out to exploit holes in Internet Explorer, Adobe Flash, and Adobe Reader, PayChoice said.
The e-mails were targeted to individuals and included their user names, login IDs, and partial passwords, thus increasing the chance that recipients would be likely to fall for the ruse.
In a statement, PayChoice did not say how many people received the e-mails but said most of the employees served by PayChoice do not use the portal. PayChoice, based in Moorestown, N.J., provides payroll software and services to 125,000 businesses.
"Within hours of the attack, the company notified its clients, shut down the site www.onlineemployer.com and deployed further security measures to protect client information before restoring access to the system," the company said in the statement. "PayChoice also immediately notified the authorities and is working with federal law enforcement to find those responsible."
The company confirmed a report on The Washington Post's Security Fix blog that the malware downloaded a Trojan horse dubbed "Bredolab," which tries to put additional malicious files on the system and to disable host-based intrusion prevention sytems, according to Microsoft's Malware Protection Center.
"PayChoice discovered a security breach in its online system on Wednesday, September 23, 2009," PayChoice Chief Executive Robert Digby said in an earlier statement. "We are handling this incident with the highest level of attention as well as concern for our clients, software customers and the employees they serve."
The company has hired two forensic experts to investigate the breach, Digby said.
The e-mail was sent through Yahoo's Web email service and the Web sites linked to in the emails were hosted on servers in Poland, according to an e-mail PayChoice sent to customers after the incident that was obtained by Security Fix.