Does this site look plain?

This site uses advanced css techniques

Who, How and Why?

Many are speculating on what the Paychoice incident was about and what the bad guys got, and what it was all about.

In thinking about this, I've come to these conclusions:

  1. The bad guys had only the data we saw in the emails, nothing more
  2. They were actually trying to steal money by infecting users, not to embarrass the company
  3. It was probably not an inside job

I have no information whatsoever from Paychoice, so this is all strictly speculation and thinking out loud.

  1. The bad guys are known to have gotten at least this information:

    • email address
    • Full name
    • username
    • partial password

    I have no idea how they got it, nor can I speculate - I simply don't know the Paychoice architecture enough to take more than a wild guess.

    If the bad guys had more information than this, why would they have tipped their hand when they could have instead used it to quietly monetize their booty?

    Payroll data is an absolute goldmine for identity theft (or outright money theft), and even if all they had were complete username+passwords to the web portal, they could have logged in and grabbed private banking and employee info "by hand". Name, social security number, date of birth, address, etc. It doesn't get a lot better than this (other than to get it wholesale).

    If they had located a large company on the service, they probably could have quietly added a phantom employee and created payrolls for them: this might go undetected for a time (though I'm not enough of a payroll guy to know for usre).

    I simply can't believe a criminal would waste a golden opportunity for bigtime wholesale theft in order to go for smalltime retail theft.

    I have to conclude that the bad guys did not have more data, and were doing what they could to leverage it.

  2. It should be obvious that this was terribly embarrassing to Paychoice, and I feel just awful for them: it had to have been the worst experience of their professional careers. There was some scuttlebutt coming out of the conference that this may have been intende to embarrass Paychoice, though it may be nothing more than random rumors.

    If this were just trying to embarrass, it could have been accomplished with no more than the initial email: sending out tens of thousands of mails, making all their service bureaus call their customers to provide new credentials: by the end of the first day (Wednesday), the damage was done.

    But the emails continued for two more days, domains and websites continued to be registered and parked at Yahoo!. This was an ongoing criminal effort.

    In addition, the emails were sent from a hijacked botnet, and the badware was tailored for this attack, phoning home to a botnet server in Sweden (and possibly elsewhere).

    If you're just trying to make the company look bad, why go to all this extra trouble? This is especially so since after the first day, everybody was watching, and the chance of getting caught rose dramatically.

    The timing of this at the start of the annual conference was either a coincidence, or (more likely) part of careful planning. It's not that hard to look around on the Paychoice website and find out when it is. This is just part of professional reconnaisance.

    So in my view, the added embarrassment of the additional efforts were really minor, but the risk rose dramatically.

    I have to conclude that the bad guys were trying to actually compromise payroll staff workstations: embarrassemnt was just an inherent side effect.

  3. The notion of inside-job-or-not is where I'm most fuzzy, because I have the least amount of information. But I think it's plausible, but not highly likely.

    First, fraudulent emails were not written by a native English speaker, and I'd imagine that most "insiders" at Paychoice would not write this way. It has all the hallmarks of Eastern Europe to me (I taught English as a Second Language for years, and have an eye for this kind of mistake).

    Second, this operation required numerous criminal acts: stolen credit cards (I assume) to register the domains and the websites, hijacking a botnet to send the emails — three times — and separate botnet motherships in various places, hosted in a location that's apparently insulated from responsible management (the mothership is still up).

    Most people in decent society would not be able to pull this off without making horrible mistakes, and I really doubt that Paychoice has a master hacker on staff.

    Something this big leaves lots of trails, and it's hard to imagine that anybody with ties to the company would withstand the kind of scrutiny that must be going on right now. Paychoice says that Law enforcement is involved.

    But the biggest factor to me: an insider would have had far better information available than this, and could have made far more use of it without making nearly the splash.

    This makes me think that this is not an inside job.

How did they get the data?

A lingering question for me is not so much "how did the bad guy get the data?" — though that of course is intersting — but "how were just those bits of data all located together, without the other stuff?"

I understand that for the Online Employer application, the real payroll data is at the individual service bureaus, and data shuffles back and forth between the service bureaus and the web portal for service. I don't know it synchronizes or reconciles.

Thinking like a database developer — which I am — it seems highly plausible that the portal user configuration data is stored only at the mothership, which is separate from the payroll data in the service bureaus.

So my best guess is that the bad guys may have worked their way into the edges of the web portal and managed to snag the information we see here, without getting more. They then undertook this attack to leverage it.

An obvious additional question by us security folks is: "Why do they store passwords in cleartext?". One should generally not do this, using a one-way cryptographic hash (preferably salted) that cannot be reversed. This means that if the bad guy gets the hashes, it's impossible to reverse and time-consuming to brute-force (but: see sidebar).

The only case I can think of for maintaining passwords in cleartext is to disallow users from choosing a password that includes parts of prior passwords (if you only want to excluded prior actual

I'm sure Paychoice is digging into all these issues. If they do indeed store their data in this way — separating portal access from payroll data — and can explain the partial passwords, I'd be completely satisfied that this is an embarrassing but not fatal breach.

Conclusions

Though this is certainly embarrassing, and Paychoice positively has to get to the bottom of it, I believe this is a far less sensational incident than it appears at first.

Paychoice may have come to these same conclusions themselves — though they have much more data than we do — they can't very well say it this way: it would look like spin.

I would never put spin past any company, but in this case my best judgement is that this is not the kind of data breach that would trigger mandatory disclosures under the various data-breach laws on the books today.

I think the best way to summarize this: that's a lot of work to get payroll data if you already have payroll data.

I dearly hope this proves to be the case.

Back to main log