visormiser
Premium
join:2004-02-10
Alexandria, VA
| Hackers Breach Payroll Giant, Target Customers
Hackers last week apparently used stolen account information from a New Jersey company that provides online payroll services to target the firm's customers in a scheme to steal passwords and other information.
Morrestown, N.J. based PayChoice, provides direct payroll processing services and licenses its online employee payroll management product to at least 240 other payroll processing firms, serving 125,000 organizations.
Unlike typical so-called "phishing" scams -- which are sent indiscriminately to large numbers of people in the hopes that some percentage of recipients are customers of the targeted institution -- this attack addressed PayChoice customers by name in the body of the message. The missives also included reference to each recipient's onlineemployer.com user name and a portion of his or her password for the site.
»voices.washingtonpost.com/securi···t_t.html |
|
SnowyOne
Premium
join:2003-04-05
Kailua, HI
 ·RoadRunner Cable
 ·Clearwire Wireless
1 edit | The name PayChoice may not ring bells but that just illustrates how a person's PII could be compromised by a security lapse in a company they have never even heard of.
Fortunately in this breach I agree with Steve  's assessment of the extent of the leak, quoted in the washington post article, which concluded that the information leaked doesn't rise to the caliber of a major disaster.
»voices.washingtonpost.com/securi···t_t.html
Edit: A direct link to Steve 's conclusion that I believe to be spot on.
»unixwiz.net/paychoice/motives.html |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
1 edit | reply to visormiser
I have been working this Paychoice security incident nearly fulltime for more than a week now — I believe the only substantial, contemporaneous, independent effort — and I'm done giving those guys the benefit of the doubt (which I had been doing in spite of misgivings).
It's official: They're doing a bad job (blog post)
Steve
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Orange County, California USA | my web site |
|
OB1
Premium
join:2006-07-17
ITALY
1 edit | Heh... I somewhat noticed that  !
Well, not just PayChoice, sounds like the folks at Symantec had their share GRIN
[edit]
Sounds like someone should go tell to this folk that Symantec should better fix its own issues before trying to bash other products
--
* ObiWan
|
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
1 edit | said by OB1 :Well, not just PayChoice, sounds like the folks at Symantec had their share I don't have enough information to reach that conclusion, in part because I have so little experience with antivirus response. The results do somewhat speak for themselves, but I assume there's always a natural variation in response: sometimes vendor A will be first, sometimes they'll fall behind. I dunno.
I figured out how to get "back issues" of VirusTotal analysis, and found the first one:
Thursday 24 Sept, in the afternoon
These five picked it up by then:
These listings show the detections based on definitions on file as of the time of the scan, and this does not necessarily mean that Microsoft was first.
It could be that (say) F-Secure had it earlier, but they have since updated their signatures, so it's showing that their more recent ones pick it up too. If anything, it says that Microsoft doesn't update their signatures as often (but shouldn't be too big of a deal because the product was still in beta).
Why did it take Symantec a week? I have no idea.
Steve
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Orange County, California USA | my web site |
|
OB1
Premium
join:2006-07-17
ITALY
1 edit | Well; first of all and about symantec, I was referring to that blog post I linked in which Mike Plante (from symantec) was bashing MSE hard... and I think that before doing so he and some other folks at symantec should fix their own issues
That said; looking at the VT results it sounds like 4 of the AVs which flagged the critter did it using heuristic and/or behavioural checks; notice the ".gen" the "behaveslike" and the "variant"; on the other hand, it sounds like MSE had the signature for that critter; not bad imHo
[edit]
Looking at the prevx results for the critter I wonder if that "PNG" file which appears on the prevx page may be something along these lines ... hmm ... it may be worth investigating a little 
--
* ObiWan
|
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
1 edit | reply to Steve
Apparently the hackers are continuing to target PayChoice:
quote:
PayChoice Suffers Another Data Breach
Payroll services provider PayChoice took its Web-based service offline for the second time in a month on Wednesday in response to yet another data breach caused by hackers.
.....
..
Ref: »voices.washingtonpost.com/securi···ata.html
MGD |
|
OB1
Premium
join:2006-07-17
ITALY
| Any further news on the issue ?
Did the folks at paychoice finally realize that once a system gets compromised it can't be trusted anymore or are they still trying to hide themselves behind their own thumbs ?
--
* ObiWan
|
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
2 edits | said by OB1 :Any further news on the issue ? Did the folks at paychoice finally realize that once a system gets compromised it can't be trusted anymore or are they still trying to hide themselves behind their own thumbs ? Brian Krebs wrote a recent article in his Wahington Post Security Fix Blog, titled FDIC: Uptick in 'money mule' scams which mentions the PayChoice breach again:
Excerpt:
quote:
.......... PayChoice responded to that breach by forcing customers to change their passwords. But sometime during the week of Oct. 12, some PayChoice customers reported seeing phantom employees added to their outgoing payroll »voices.washingtonpost.com/securi···ata.html. PayChoice alerted its customers that hackers had again breached its systems, and urged customers to be on the lookout for unauthorized payroll transfers to four specific people and associated bank accounts. PayChoice said one of those individuals was named Ronald Cutshall, and that an account associated with Cutshall ended in the numbers 7766.
Security Fix recently caught up a Ronnie Cutshall from Greeneville, N.C. who acknowledged having an account at the local GreenBank ending in those four digits.
...
..
.
For its part, PayChoice said it has "conducted a comprehensive review of its IT infrastructure, including network devices, servers, applications and IT operating procedures, and that it is "deploying responsive measures recommended by industry-leading security experts."
"While law enforcement authorities have asked us not to provide detailed information to the public, PayChoice has responded vigorously to last month's breach of our online system," Digby said. ...............
See Ref: »voices.washingtonpost.com/securi···cam.html
Also a related follow article today:
»voices.washingtonpost.com/securi···6-f.html
MGD |
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
·RoadRunner Cable
1 edit | reply to Steve
Symantec has a write up about Trojan.Wsnpoem
Discovered: July 24, 2008
Updated: July 24, 2008 7:27:51 PM
Also Known As: Win32/Kollah.NU [Computer Associates], W32/Zbot [F-Secure], TROJ_ZBOT.AJD [Trend], TROJ_ZBOT.QT [Trend], Generic PWS.y!F1684D85 [McAfee], TROJ_ZBOT.AJR [Trend], Troj/Zbot-AX [Sophos], Troj/Zbot-BD [Sophos], Troj/BckDoor-B [Sophos], Troj/Zbot-CK [Sophos], Troj/Agent-KZY [Sophos]
SEE
»www.symantec.com/security_respon···-0415-99
and
»www.symantec.com/security_respon···-0415-99
Please note that Virus Total uses an older version of Symantec Corporate and Symantec AntiVirus Corporate Edition 9.0, or earlier products, LiveUpdate definitions are updated weekly not daily as the newer versions are.
--
Proud Member of ASAP
DSLR Phishtracker |
|
