Home | News Alerts | Refined Attack Targets PayChoice Customers

Refined Attack Targets PayChoice Customers

Breach followed by customized phishing attack

October 6, 2009

Phishing scammers have traditionally cast wide nets, sending mass, indiscriminate e-mails they hope will successfully ensnare at least some portion of their potential targets. The fraudsters behind the recent scheme targeting customers of PayChoice, however, were not typical phishing scammers. Relying on personal data stolen from payroll processing company PayChoice, they addressed their victims by name. They used other information acquired via the breach to make their ruse all the more believable.

According to The Washington Post, the scammers first hacked into the PayChoice system and stole customers’ information. Next, they sent targeted customers e-mail notifications under the guise of PayChoice officials. The e-mails warned that a software update was needed to maintain access to the company’s online payroll service (onlineemployer.com). The plug-in, of course, turned out to be malicious software intended to steal personal information, including web usernames and passwords.

The attack was convincing not only because it addressed PayChoice customers by name, but because it also referenced the recipients’ onlineemployer.com usernames and a portion of their account login passwords.

PayChoice discovered the breach of its online systems on Sept. 23, the company stated in the Post. Its onlineemployer.com site was shut down, and fresh security measures were instituted to protect client information.

The malware used in the attack would have escaped notice by most anti-virus scanners, according to security blogger Steve Friedl who received e-mail from several customers who were targeted. As of Oct. 1, the malware was detected by only five of 41 commercial and retail anti-virus scanners, he writes.

PayChoice, meanwhile, has hired outside forensic experts to determine the intrusion’s scope. “PayChoice is determined to find the cause and extent of the breach and to take further measures to prevent a future occurrence,” the company’s Chief Executive Robert Digby said in a statement quoted by Computerworld.

The company joins an ever-growing list of payment firms to be “victimized by cyber criminals,” the company’s Digby stated in an e-mail to Network World. Unfortunately, criminals recognize the more personalized their phishing attacks, the more likely they are to trick victims into downloading malware or handing over personal information. Last November, phishers who breached a database containing information on users of the Skype software known as Pamela used that data to personalize a scam intended to persuade the victim to turn over sensitive info, according to The Register.

Scams are no longer addressed simply “to whom it may concern.” Now, they know your name—and maybe even more.