Hackers Go After Payroll Departments and Payroll Services

It is no secret cybercriminals follow the money. But during the past several months, that adage has taken a very literal turn, as a series of cyberattacks targeting payroll departments and payroll services has transpired.

Armor, a leading global cloud security solutions provider, observed mention of one such cyberattack in early April, whereby hackers targeted the payroll department of the city of Tallahassee and absconded with almost $500,000. With their curiosity piqued, Armor’s Threat Resistance Unit(TRU) began digging to find if there had been other similar-style attacks in recent months.

Armor’s TRU team discovered that three payroll-related cyberattacks had occurred between February and April 2019 in the southeastern U.S.: a February ransomware attack targeting Atlanta-based payroll software technology provider Apex Human Capital Management; a March cyberattack targeting the Thomas County School System in Thomasville, Georgia (whereby hackers nearly got away with almost $2 million dollars); and the April 3rd cyberattack affecting the payroll department of Tallahassee, Florida.

Interestingly, these incidents came on the heels of the massive “Collection #1” data dump discovered in January 2019. TRU’s analysis of the Collection #1 data  revealed that amongst the almost 773 million unique email addresses and passwords were the email credentials and plain-text passwords for over 240 payroll departments from apparently at least 240 different organizations.

While Armor is not aware of any connection between these payroll-related attacks, the incidents follow a September 2018 warning from the FBI’s Internet Crime Complaint Center (IC3) that cybercriminals are targeting the online payroll accounts of employees in a variety of industries to include education, healthcare, and commercial airway transportation. According to the IC3, these attacks use phishing emails to steal employee login credentials. Armed with these credentials, the attackers can access employee payroll accounts and modify account settings to prevent the employees from receiving alerts about changes made to their payroll direct deposit status. Direct deposit destinations are then changed as the payroll deposits are redirected to accounts controlled by the cybercriminals, often in the form of prepaid cards.

Cybercriminals Steal $500,000 from City of Tallahassee; City Tries to Recoup $125,000 

According to news reports, the City of Tallahassee put forth that it was their “out-of-state, third-party vendor, which hosts their payroll services, which was breached, not them.”  And as a result, the city’s employee paychecks were “redirected to bank accounts being controlled by the threat group.” All totaled, nearly $500,000 was stolen in this cyberattack, but the City reported their bank has been able to recover 25 percent of the stolen money, approximately $125,000.

Curiously, the attack marked the second cybersecurity incident to affect the city in roughly a month. In March 2019, a Dropbox link was sent out in a phishing email appearing to originate from the email account of their city manager. The phishing email, which is believed to have originated externally, was laced with malware. City officials stated that there were no lingering effects from this phishing attack.

Security Tips for Protecting Against Payroll-Related Cyberattacks

Based on the information that has been reported, these security incidents serve as a stark reminder to organizations to stay on top of the latest cyber threats -including managing risks posed by third-party vendors and partners. Here are some suggested mitigations from Armor:

  • Implement separation/segregation of duties for critical transactions: This key security principle mandates that the agent responsible for conducting a transaction cannot be the same agent responsible for checking or approving the transaction. When this principle is implemented properly it provides an effective control measure against malicious insiders and external threat actors alike who have gained access to critical systems.
  • Classify third-party vendors and partners: Organizations should categorize their third-party partners and vendors according to risk, factoring in each vendor’s level of access to their network and any critical data the vendors may have. Organizations should also take steps to ensure vendors have properly implemented security policies commensurate with their calculated risk levels.
  • Choose vendors wisely: The security strategy and reputations of third-party companies should be closely evaluated before organizations begin doing business with them or trusting them with any type of system access or data. Likewise, once they have system or data access, third-party partners and vendors should be continuously monitored and audited on a regular basis.
  • Employ strong security controls: Use robust, continuously-updated antimalware and active threat mitigation controls across all endpoint devices and application platforms.
  • Keep IT systems and software up-to-date: Organizations should apply software security patches and updates as soon as possible.
  • Perform security awareness training: Employees, continually educated about current and emerging cybersecurity risks, can better identify phishing emails and suspicious behavior. Effective awareness training should invoke active employee engagement and institutionalize the correct response to suspected phishing attempts. With proper foundational and enhancement training, employees can effectively act as cybersecurity monitoring and reporting sensors in a potent line of defense against cyber-attacks.
  • Be smart about passwords: Employees should utilize strong passwords, and NEVER reuse passwords across multiple sites. These passwords should change periodically in accordance with a set policy.
  • ALWAYS utilize multi-factor authentication for access to critical systems: This provides an extra layer of security to prevent unauthorized access.
  • Develop a secure backup strategy: Ensure all critical data, applications, and application platforms are backed up by password-protected backup/redundancy systems.

“No matter the size or type of organization, executive leaders must keep cybersecurity top-of-mind,” said Eric Sifford, TRU security researcher.  “Whether critical systems and data are in the cloud or on-premise, controlling access and maintaining security hygiene are necessary parts of keeping them safe, and that pertains to not only the organization itself but to all of the entity’s third-party vendors and partners.”