CheckFree.com Hijack May Have Affected 160,000 Users
Online bill pay giant CheckFree.com said the hijacking of its Web site this month affected an estimated 160,000 people, a disclosure that offers the most detailed account yet of the true size and scope of a brazen type of attack that experts say may become more common in 2009.
In a filing with Wisconsin's Office of Privacy Protection, CheckFree said at least 160,000 people may have visited the site during the nine-hour period it was hijacked, which had redirected visitors to a site in Ukraine. An analysis of that Ukranian site indicated that it was trying to exploit known security flaws in Adobe Acrobat and Adobe Reader, in an attempt to install a variant of the the Gozi Trojan, which is among the most sophisticated password-stealing programs in use today.
CheckFree controls between 70 to 80 percent of the U.S. online bill pay market. Among the 330 kinds of bills consumers can pay through CheckFree are military credit accounts, utility bills, insurance payments, mortgage and loan payments.
CheckFree said it has sent warning notices to about five million consumers that may have a relationship with CheckFree as a bill paying agent. Among those notified by CheckFree was my editor, who happened to be logging into the site during the early morning hours of the attack on Dec. 2. Her system did not get hit with the malware: She was browsing CheckFree's site with a Mac.
One thing the company hasn't disclosed -- and which I haven't read anywhere else yet -- is that CheckFree's e-mail systems also could have been hijacked during the attack.
This attack succeeded because hackers were able to snag the credentials needed to gain access to CheckFree's domain records at Network Solutions, CheckFree's domain registrar. The bad guys changed CheckFree.com's domain name system (DNS) records so that any visitors were pointed to the Ukrainian site.
But corporate e-mail systems can also be hijacked this way, as they, too, rely on DNS settings to route incoming and outgoing e-mail. A source who is close to this investigation but who asked not to be named so as not to compromise his role shared with Security Fix records indicating that the hijacking indeed affected CheckFree's mail server DNS records (also known as "mail exchange" or "MX" records).
Normally, CheckFree.com's MX records point to mail2.checkfree.com, and mail1.checkfree.com, servers that are assigned Internet addresses of 184.108.40.206 and 220.127.116.11, respectively.
But according to servers used to passively monitor changes to global DNS records, during the attack, both of CheckFree.com's MX records were pointing to the same address in Ukraine (18.104.22.168). From a passive DNS query run on CheckFree's mail addresses shortly after the attack began:
DNS query Answer RR type TTL First seen Last seen
mail1.checkfree.com 22.214.171.124 A 7200 Tue, 02 Dec 2008
10:16:09 UTC Tue, 02 Dec 2008 10:16:09 UTC
mail2.checkfree.com 126.96.36.199 A 7200 Tue, 02 Dec 2008
10:16:16 UTC Tue, 02 Dec 2008 10:16:16 UTC
I asked CheckFree about this and they said none of their incoming our outgoing e-mail was compromised.
"This has been verified from reviewing the Network Solutions log," said Lori Stafford-Thomas, assistant vice president of external communications at Fiserv Corp., the Brookfield, Wis., parent of CheckFree. "Clients may have seen their email to us queuing up because it could not resolve to CheckFree.Com during this time but the email was not redirected."
That means that if the perpetrators of this crime did not intercept the e-mails routed from or destined to CheckFree.com, it is only because the attackers didn't have the foresight to set up a mail server at the Ukrainian address to intercept the missives. Had the attackers done so, they would have been able to read and reply to e-mails sent by CheckFree customers.
December 17, 2008; 7:40 AM ET
Categories: Fraud , From the Bunker , Latest Warnings , Safety Tips , Web Fraud 2.0
Save & Share: Previous: Google Ads Lead to Phony Apps
Next: Microsoft Issues Emergency Patch to Curb Password-Stealing Hackers
Posted by: continuump | December 17, 2008 10:10 AM | Report abuse
Posted by: eteonline | December 17, 2008 11:46 AM | Report abuse
Posted by: moike | December 17, 2008 11:54 AM | Report abuse
Posted by: Ag2000CO | December 17, 2008 1:31 PM | Report abuse
The comments to this entry are closed.