« New Tech Tip: Analysis of initial patches for Microsoft's Hyper-V driver in the Linux kernel | Main | How not to respond to a targeted malware attack »

September 30, 2009

Security Response: the Paychoice/Online Employer incident

For the last week or so, I've been working on a security incident involving the online web portal of Paychoice, a very large payroll software and service provider in the United States. They provide payroll for many companies directly, plus their software licensees are service bureaus that do the same thing. It's a large operation.

A week ago, users of this web portal — Service bureau users and employer/customer users — received fake emails purporting to be from the Online Employer web-based service, inviting users to download a "required update" to use the online portal. It was badware, of course, and to make the email more believable, they contained the username and partial password of the user. This looked really scary.

I got involved when a customer casually mentioned these difficulties, and I spent the next quite a few days digging in on several angles. This was an independent effort, to date I've had zero contact from the Paychoice people.

First, BIG kudos to the great folks at Yahoo! Security (hi Mark!) who managed to shut down the malware-serving sites within an hour of being reported. The Y! Paranoids rock, and all of my customers are grateful for your fast service to protect users.

Also, serious thanks to my Microsoft Security MVP colleagues, who provided invaluable guidance while handling this incident. They thought of things I'd not have.

Surprisingly, in the end I concluded that this was probably much less serious than we first thought: if the bad guy had real-deal payroll data, it wouldn't have been necessary to go on this well-orchestrated phishing expedition, so I came to the conclusion that the bad guy had only the usernames and partial passwords.

It's still a big deal, of course, and I don't doubt that Paychoice is pressing numerous resources (both with security experts and with law enforcement) to get to the bottom of this. As they should. Godspeed, folks: I know it's been a sucky week for you.

I'll also note that Paychoice kept in more or less regular contact with its licensees: updates daily with what's going on (though never enough information for licensees).

I kept a running log of this incident, which by now is mostly calming down, plus wrote up in more detail my analysis of why this may not be the data-breach catastrophe it first appeared to be.

Brian Krebs reported this story in his Security Fix column in the Washington Post.

Posted at 08:18 PM in Security |

Comments

SecuritySystemsOK.com

Ive heard about some scams involving WePay as well. I had no idea about Paychoice. Also, oh hai mark.

Posted by: SecuritySystemsOK.com | December 14, 2012 at 11:21 AM

The comments to this entry are closed.

ABOUT STEVE

  • Steve Friedl is a software and network security consultant in Southern California. He has been a C and UNIX developer since 1981 and has an exceptionally broad background in this area. Some areas of expertise include:

    • C and C++ systems software development on the UNIX and Win32 platforms
    • Communications, including serial and TCP/IP based controllers
    • Enterprise internet security administration and configuration
    • Penetration tests, audits, and network reviews
    • Security forensics, reverse engineering, and tools development
    • General UNIX and Windows system/network administration
    • The Windows Printing System
    • Database software development
    • Technology problem solving and research
    • Technical writing and standup training

Recent Posts

Categories

Archives

Unix Wiz

Stephen J. FriedlSoftware ConsultantOrange County, CA USASteve@unixwiz.net