PayChoice latest to be hit by multi-stage cyber attack

paychoic_logo_300pxPayChoice — and its business customers — have been hit by a multi-stage cyber attack that’s becoming all too familar.

Reporting by Security Fix blogger Brian Krebs points to an initial breach of PayChoice customer databases, followed by a spear phishing attack using stolen from the breach to target specific employees of companies that use PayChoice’s popular outsourced payroll services.

PayChoice CEO Robert Digby has just issued a statement saying the security breach of its online systems was discovered on Sept. 23. “We are handling this incident with the highest level of attention as well as concern for our clients,” says Digby. He says online systems were shut down temporarily to “institute fresh security measures” before starting up again.

matt_moynahanThe bad guys appear to have used a SQL injection hack to crack into PayChoice’s databases,  says Matt Moynahan, CEO of security firm Veracode. “This was a two-stage attack with the first stage being a minor attack against relatively benign information that could be used in a more sophisticated second stage of the attack,” he  says.

Interestingly, they did not appear very much interested in credit card transaction data — the target of hacker Alex Gonzalez and compatriots, charged with pilfering 94 million payment card records from TJX and 130 million records from Heartland Payment Systems.

Which raises the question: do corporations routinely use a lower level of encryption and security measures for storing  names and email addresses as compared to credit card numbers and other pieces of PII, personally identifiable data? The PCI standards, after all, call for tight security measures — but only for payment card transaction data.

‘Chaining’ vulnerabilities, methodologies

Whatever the case, these thieves evidently concentrated on harvesting email addresses and company names, says Moynahan. This enabled them to send emails to individual employees purporting to come from PayChoice. The attack shows that criminals are getting more sophisticated using a technique Veracode calls  “chaining” — linking together software vulnerabilities and attack methodologies, he says.

Employees at tech security firm Damballa, a former PayChoice client, were at the tail end of this particular chain; their names and email addresses were stolen from PayChoice’s databases. Damballa once patronized ChoicePayroll, a third party payroll service provider that was a client of PayChoice, explains Tripp Cox, Damballa’s vice president of engineering.

Several Damballa employees received emails purporting to come from PayChoice asking them to click on a Web link to download a plug-in needed in order to continue accessing, PayChoice’s online portal.

paychoice_email_450pxClicking on the link actually downloaded a variant of the ZeuS banking Trojan, which LastWatchdog investigated and wrote about in this USA Today cover story.

Cox said he would not be surprised if the attackers’ ultimate goal was to crack into Damballa’s business accounts to execute wire transfers to money mules, accomplices recruited via work-at-home ads to set up bank accounts to receive stolen funds.

Sweet targets

Wire transfers to multiple mule accounts has become a very popular crime. Back in 2005, Miami small business owner Joe Lopez lost $90,000 via a single fraudulent wire transfer from his Bank of America online business account to a bank account in Latvia. Lopez had to sue BofA to get made whole.

Fast forward to July 2009 and we have Henry Slack, owner of a chain of auto parts stores in Gainsville, GA, losing $75,000 in nine transfers into six different mule accounts. And just yesterday, security firm Finjan disclosed how another multi-stage heist — this particular one doing wire transfers from  German banks to an large herd of mules. These guys are altering online statements on the fly and methodically rotating the use of mules to escape detection.

Is this what the  PayChoice attackers were ultimately going after?

tripp_cox_crop131px “The end game of this scam is unclear, but the selection of the ZeuS Trojan indicates that the criminals were hoping to get banking account login credentials from all of their victims,” says Cox. “One can imagine that they would next check balances of the pilfered accounts and go for the deep pockets. Employers’ cash accounts used for payroll would make sweet targets.”

Veracode’s Moynahan says the root cause of multi-stage cyber robberies are poorly written Web applications. Vulnerabilities in PayChoice’s public facing Web applications enabled the bad guys to get employees email addresses. Security flaws in the employee’s Web browser, document reader and media player applications allow the bad guys to implant a wormhole, called a Trojan downloader, to take full control.

“The root cause of the initial attack, and the mode of the second stage of attack –downloading of malicious code — was software vulnerabilities,” says Moynahan. “The PayChoice attack is a window to the future mess that will undoubtedly result from insecure software.”

–By Byron Acohido

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone