An untold number of business managers that subscribe to PayChoice, a New Jersey-based payroll processing service, were tricked into downloading a Trojan designed to capture account access credentials.

PayChoice, which supports 125,000 businesses across the country, recently launched the onlineemployer.com to provide clients with easier access to information and resources. Hackers discovered this new portal and immediate attacked PayChoice users by sending a spear phishing email that instructed them to download and install a browser plugin. The plugin is actually malware designed to exploit vulnerabilities in Internet Explorer and some Adobe applications. Some reports say the toolbar download was a variant of the Bredolab Trojan.

In light of the recent surge in malware designed specifically to monitor connections with specific domains such as financial institutions and banking services, this attack got me thinking about the security risks toolbars and other browser add-ons pose to businesses.

The browser is fast becoming the tool of choice for providing access to online resources and applications, it will increasingly come under attack or, worse, manipulated as a tool for capturing sensitive information. No new revelations there. It’s how the manipulation happens.

After reading about the PayChoice attack, I started hunting for information on blocking the installation of toolbars, plugins and add-ons to browsers. I will fully admit that this is an area where I have little knowledge, so this blog is more about the search for information than advocating action.

Searching the Web for software or tools that manage toolbars and plugins ended with nearly useless results. A few applications promised to block toolbar and other browser add-ons, but they were for single client uses only. Internet Explorer and Firefox help guides include instructions for accessing tools to manage toolbars and plugins, but do not indicate ways for automatically blocking the installation.

Several blogs noted that the best way to prevent toolbar installation is for instructing users to not opt-in for the downloads. Google, Yahoo, Microsoft and other major toolbar publishers give users the options of not downloading and installing toolbars and plugins when upgrading browsers or adding services. Some software publishers such as Adobe will allow users to selectively install add-ons, but with the caveat that some applications may not perform optimally without the tools.

Web and traffic filters, scripts and policy setting must exist for not just managing single clients, but distributed and mobile fleets of PCs. But if they do exist, they are fairly well hidden.

End users often complain about rogue and unauthorized software creating security risks and leading to breaches. But browser toolbars and plugins almost seem falsely benign given that their intended (or purported) purpose is to enhance and simplify the user experience. Telling users not to install every toolbar and plugin is highly impractical since it neither scales nor is enforceable through automated controls.

What choices are there for managing toolbar and plugins to prevent security breaches? What tools to you use, support or recommend? Are end users concerned about these security risks? And is the PayChoice incident a harbinger of security threats to come?