American Payroll Association User Data Stolen in Skimmer Attack

The American Payroll Association (APA) says user information was stolen after attackers managed to inject a skimmer on its website. 

A payroll education, publications, and training provider, APA helps professionals increase their skill, offering payroll conferences and seminars, resources, and certification. APA has over 20,000 members. 

In a security incident notification (PDF), APA explained that what appears to be a vulnerability in its content management system was likely exploited to inject the skimmer in its login page and on the checkout section of its online store. 

The malicious activity was discovered around July 31, 2020 but the investigation into the incident revealed that the attackers had been present on the system since May 13, 2020.

According to APA, information that was compromised during the attack included user login information and payment card information. 

The attackers might have accessed information such as first and last name, address, gender, date of birth, email address, job title and role, primary job function (along with details on to whom the user ‘reports’), company name and size, employee industry, and payroll and time and attendance software used at work. 

Profile photos and social media username data associated with some accounts might have been compromised as well, APA says. 

“Since discovering the cyberattack, APA has installed the latest security patches from our content management system to prevent any further exploitation of their website. APA technicians also reviewed all code changes made to the APA website since January; installed additional antivirus software on our servers; and increased the frequency of security patch implementation,” the Association announced. 

APA says it has already prompted affected users to reset their passwords, and it is urging those who haven’t already to do so as soon as possible. 

“This attack on the American Payroll Association’s websites affected not only the payment page but also the login page, resulting in theft of usernames and passwords. The APA is an attractive target for Magecart attackers since their members have access to tools and systems that contain payroll data for millions of individuals. The attackers can brute force other payroll systems using the same stolen credentials to find other account takeover targets,” Ameet Naik, security evangelist at PerimeterX, said in an emailed comment. 

“Businesses must take steps to manage the shadow code risks by applying timely security patches and upgrading vulnerable open source libraries and third-party plugins. In addition, client-side application security solutions can provide full runtime visibility and control over all scripts and prevent client-side data breaches. Consumers must ensure that they use unique passwords and multi-factor authentication for different websites to minimize the risk of account takeover (ATO) attacks, and must continue to monitor their credit reports for signs of identity fraud,” Naik added. 

Related: Hackers Target Online Stores With Web Skimmer Hidden in Image Metadata

Related: Magecart Hackers Continue Improving Skimmers

Related: Visa Warns of New JavaScript Skimmer ‘Pipka’