For the last week, I've been working on this Paychoice data breach, and I'm getting a little concerned about how Payroll Associates, Inc. is handling it: they're giving terrible advice to their licensees (and by proxy, the customers/employees of their licensees).
The attack was a realistic email to customers of their Online Employer portal inviting them to download a required update, which was of course badware. It is a password-stealing Trojan, and it phones home the stolen booty to a mother ship located in (at least) Sweden, and reportedly another in Poland. I believe there were several variants.
The badware itself ("plugin_setup.exe") was hosted on servers at Yahoo!, but I was able to get them taken down on Thursday and Friday: I'm not sure why PAI or their security experts (reportedly SecureWorks) weren't able to do this themselves. The Yahoo! Security guys rock.
Opening the fraudulent emails after the Yahoo!-hosted sites were down means you couldn't download the badware — you're safe — but if you did install one of those updates, you are infected and phoning home passwords used in all of your online transactions.
I have been on multiple customer systems this week to clear up infections, and in every case, Symantec/Norton missed it, but the new Microsoft Security Essentials found and cleaned it. MSE had the definitions more than a week ago. Not bad for free, eh?
I've been told that PAI engaged Symantec (in an unknown capacity) to help them with the malware, but I find it hard to imagine how this could happen and still take a week to get their signatures updated, or why somebody (PAI or their security experts) didn't submit this malware to the other A/V vendors immediately. How come some random guy who does it on the third day of the attack was the first that many of these A/V vendors had seen it?
In any case, I believe the advice is to run an antivirus scan and to remove the infection if found. "If you're clean, you're fine".
This is dangerous advice because it's just not true, for two reasons.
First, just this morning was on a customer's system with the latest Norton definitions, and it didn't pick up the infection: only installing Microsoft Security Essentials found it and removed it.
But second, getting clean is not enough: from late last week until this morning, the trojan was phoning home passwords used in online transactions, and we have evidence that this is actively being exploited (he had accessed his eBay account from that system, and that account was compromised). The password-stealing is not limited to just OnlineEmployer: it's going for everything, and will continue to do so as long as the botnet C&C (command and control) mothership is up.
If you have been infected, you must change every password used online before the infection was removed. Period. If OnlineEmployer (or your payroll company) gave you new credentials earlier in the week, assume the bad guy has them: get a new password.
Curiously, one of the "malwares" was actually notepad.exe — harmless — and I suspect the bad guy used it for testing but forgot to put it back. If multiple independent up-to-date A/V scans report nothing, you probably are safe, though I do recommend running more than one to help keep you safe.
Repeat this process for any other online service: eBay, Paypal, Facebook, MySpace, your bank, DSLReports, whatever. If you used a password, change it.
Furthermore, for financial sites, research the login history to see if anybody came from an IP address you don't recognize. If the service doesn't give you a way to do this via the online tool, contact the provider and insist that they research this for all access since last Wednesday.
If the login history shows only access from your own sites, you're probably OK, but you still have to change your password (the bad guy knows it!). But if it shows access from other places, you have to assume that the bad guy rooted around your system and took all the information he could find. For a payroll portal, this would be an identity theft orgy, and evidence of an individual account compromise probably triggers legally-required notifications in many jurisdictions.
Any advice that doesn't include the above precautions is simply ignoring the problem and hoping it will go away, and is irresponsible.
Furthermore, as of 2PM PDT Friday, the mothership in Sweden was still up, accepting connections from infected systems. I don't know what steps PAI or its experts have taken to get these taken down, but it's not obvious that any have. I'm still working this via other avenues to get this addressed.
WANTED: There have been reports of another C&C in Poland: if anybody has information about this, I'd sure love to see it.
Make no mistake, Payroll Associates is a victim here, on the business end of a sophisticated criminal act, and I have always had tremendous sympathy for them. They also positively have their hands full researching what happened and to insure that their own infrastructure is safe. Protecting their own stuff protects their customers.
But they are not the only one facing threats, and I really don't see much evidence of them Doing The Right Thing to proactively and aggressively take care of their customers (as opposed to themselves).
It's very common for companies new to this kind of security nightmare to treat it as mainly a PR problem, especially since I still believe the bad guys didn't actually get the really juicy data from Paychoice directly.
But by not aggressively helping their licensees keep their customers safe, they have shifted the burden of legally-mandated privacy-breach disclosures from themselves onto their customers: "PAI did not send the badware, we didn't open it, we didn't send the passwords to the bad guys: you may have to disclose to your employees/customers, but we don't".
My hero Bruce Schneier would probably call this an "externality": a cost imposed on others that is not a concern to me. I predict that if this happens to customers, Paychoice licensees will asking Paychoice to pay for it (I don't know anything on this front beyond idle chitchat from licensees).
When dealing with this kind of horrible event, you really have to fall all over yourself to keep your customers in the loop — consistent with conducting an investigation — and to make customers feel like they're being taken care of. The worst thing you want is for your customers to have their imagination go wild — it never goes to a good place.
I've called this the warm fuzzy feeling for years, and I haven't gotten that vibe from many Paychoice licensees in the last week.
I have heard nothing from Payroll Associates, though a lot of their licensees are talking to me, but I'd love nothing more than to find out that they have taken far more steps than I've seen, and that I'm just uninformed. We can only hope.
Note: Here, and throughout this incident I am commenting on Paychoice's security response, which is how they handle an incident. I am making absolutely, positively no comment on their actual security as a whole, because I don't have the first bit of information, or even a hint, to provide an assessment (and probably never will). Really - I have no idea.
Furthermore, I've not seen anything that would make me avoid using Paychoice to run my payrolls except for what I perceive as very poor customer service during a security incident.
Disclaimer: I consult to the payroll industry, including to a Paychoice competitor, but this is an independent, unpaid, uncoordinated effort.