For the last week or so, I've been working on a security incident involving the online web portal of Paychoice, a very large payroll software and service provider in the United States. They provide payroll for many companies directly, plus their software licensees are service bureaus that do the same thing. It's a large operation.
A week ago, users of this web portal — Service bureau users and employer/customer users — received fake emails purporting to be from the Online Employer web-based service, inviting users to download a "required update" to use the online portal. It was badware, of course, and to make the email more believable, they contained the username and partial password of the user. This looked really scary.
I got involved when a customer casually mentioned these difficulties, and I spent the next quite a few days digging in on several angles. This was an independent effort, to date I've had zero contact from the Paychoice people.
First, BIG kudos to the great folks at Yahoo! Security (hi Mark!) who managed to shut down the malware-serving sites within an hour of being reported. The Y! Paranoids rock, and all of my customers are grateful for your fast service to protect users.
Also, serious thanks to my Microsoft Security MVP colleagues, who provided invaluable guidance while handling this incident. They thought of things I'd not have.
Surprisingly, in the end I concluded that this was probably much less serious than we first thought: if the bad guy had real-deal payroll data, it wouldn't have been necessary to go on this well-orchestrated phishing expedition, so I came to the conclusion that the bad guy had only the usernames and partial passwords.
It's still a big deal, of course, and I don't doubt that Paychoice is pressing numerous resources (both with security experts and with law enforcement) to get to the bottom of this. As they should. Godspeed, folks: I know it's been a sucky week for you.
I'll also note that Paychoice kept in more or less regular contact with its licensees: updates daily with what's going on (though never enough information for licensees).
Brian Krebs reported this story in his Security Fix column in the Washington Post.