Network News

X My Profile
View More Activity

CheckFree.com Hijack May Have Affected 160,000 Users

Online bill pay giant CheckFree.com said the hijacking of its Web site this month affected an estimated 160,000 people, a disclosure that offers the most detailed account yet of the true size and scope of a brazen type of attack that experts say may become more common in 2009.

In a filing with Wisconsin's Office of Privacy Protection, CheckFree said at least 160,000 people may have visited the site during the nine-hour period it was hijacked, which had redirected visitors to a site in Ukraine. An analysis of that Ukranian site indicated that it was trying to exploit known security flaws in Adobe Acrobat and Adobe Reader, in an attempt to install a variant of the the Gozi Trojan, which is among the most sophisticated password-stealing programs in use today.

CheckFree controls between 70 to 80 percent of the U.S. online bill pay market. Among the 330 kinds of bills consumers can pay through CheckFree are military credit accounts, utility bills, insurance payments, mortgage and loan payments.

CheckFree said it has sent warning notices to about five million consumers that may have a relationship with CheckFree as a bill paying agent. Among those notified by CheckFree was my editor, who happened to be logging into the site during the early morning hours of the attack on Dec. 2. Her system did not get hit with the malware: She was browsing CheckFree's site with a Mac.

One thing the company hasn't disclosed -- and which I haven't read anywhere else yet -- is that CheckFree's e-mail systems also could have been hijacked during the attack.

This attack succeeded because hackers were able to snag the credentials needed to gain access to CheckFree's domain records at Network Solutions, CheckFree's domain registrar. The bad guys changed CheckFree.com's domain name system (DNS) records so that any visitors were pointed to the Ukrainian site.

But corporate e-mail systems can also be hijacked this way, as they, too, rely on DNS settings to route incoming and outgoing e-mail. A source who is close to this investigation but who asked not to be named so as not to compromise his role shared with Security Fix records indicating that the hijacking indeed affected CheckFree's mail server DNS records (also known as "mail exchange" or "MX" records).

Normally, CheckFree.com's MX records point to mail2.checkfree.com, and mail1.checkfree.com, servers that are assigned Internet addresses of 12.16.164.60 and 204.95.150.32, respectively.

But according to servers used to passively monitor changes to global DNS records, during the attack, both of CheckFree.com's MX records were pointing to the same address in Ukraine (91.203.92.63). From a passive DNS query run on CheckFree's mail addresses shortly after the attack began:

DNS query Answer RR type TTL First seen Last seen

mail1.checkfree.com 91.203.92.63 A 7200 Tue, 02 Dec 2008
10:16:09 UTC Tue, 02 Dec 2008 10:16:09 UTC
mail2.checkfree.com 91.203.92.63 A 7200 Tue, 02 Dec 2008
10:16:16 UTC Tue, 02 Dec 2008 10:16:16 UTC

I asked CheckFree about this and they said none of their incoming our outgoing e-mail was compromised.

"This has been verified from reviewing the Network Solutions log," said Lori Stafford-Thomas, assistant vice president of external communications at Fiserv Corp., the Brookfield, Wis., parent of CheckFree. "Clients may have seen their email to us queuing up because it could not resolve to CheckFree.Com during this time but the email was not redirected."

That means that if the perpetrators of this crime did not intercept the e-mails routed from or destined to CheckFree.com, it is only because the attackers didn't have the foresight to set up a mail server at the Ukrainian address to intercept the missives. Had the attackers done so, they would have been able to read and reply to e-mails sent by CheckFree customers.

By Brian Krebs  |  December 17, 2008; 7:40 AM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Safety Tips , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Google Ads Lead to Phony Apps
Next: Microsoft Issues Emergency Patch to Curb Password-Stealing Hackers

Comments

Thanks Brian for your reporting of the latest Check Free Breach over 9 hours!
To the readers: Unfortunately, the WP is not interested in reporting positive solutions that have been made to the Canadian Govt Dept of Public Safety (DHS) and to a major Metro NY County's Data Centers, etc. We focus is Securitizing Critical Network Infrastructures based on sound "100% Science based R&D and Engineering." Unlike the other major network OEM's, our networks "stay up when attacked" Today, we comply with all Standards such as OSI, Common Criteria, PCI-DSS, DARPA, etc. Our system is called DtX and operates uniquely at Level One (OSI) platform also known as the "last physical layer for security". That's where our OSI resides. FYI, every other OEM from the Cisco's, CloudShields,RSA's, etc operate at OSI Levels 2-7. Those are the "software only layers that there appliances attach to." The science dictates are all hackerble, even encryption!
DtX is fully (100%) transparent to any network, including all equipment and all S/W already installed. We literly bolt on our system and when an anomaly is detected switches the potential hacker in under a millionth of a second to a dummy server or network where they can be traced. The important point is that the rest of the network stays "up." Additionally, we actually can eliminate the traditional wire closet by autonomically handling "adds, moves, changes, segmenting, testing, repairing, etc." Clients are reporting between 65-80% in reduction of tech support costs. Lasly a Real Time Administrator that sits over IBM's Websphere, HP's Openview, CA's Uniview etc with the ability to running the network in real time, even globally. We are now partnered with a major Fortune 100 OEM/Services company.
CheckFree or any one else, just email or call: 917-497-5523 or continuump@gmail.com
Bob

Posted by: continuump | December 17, 2008 10:10 AM | Report abuse

There should be no need to instantly change these settings. A simple email to a non published email address would reveal to the owner that something is going on and would be no problem to implement. Maybe it is time to put these registrars on the hook for some of this and maybe they would not allow such things to happen.

Posted by: eteonline | December 17, 2008 11:46 AM | Report abuse

Bookmarking the SSL page on all your important sites will at least cause the browser to pop up a warning that the certificate doesn't match, or that the site is not secure when the DNS has been hijacked in this fashion.

Email could still be stolen with this DNS hijack however.

Posted by: moike | December 17, 2008 11:54 AM | Report abuse

There seems to be a lot of this going around. Although not having the same impact as ckeckFree, over the weekend, 12-14 Dec, www.StarBand.net was hijacked and redirected to pages StarBand but pointing to sedoparking.com and their adds. Both the DNS and MX addresses were changes. Sense StarBand/SPACENET host their own site and the name,StarBand.net, is owned until 2017, it wasn't a matter of not paying the bills.

It was odd and took a while to detect sense most users of StarBand approach it for the VSAT side not the web side. People did start noticing that they were not getting any email. At that point those with dual access started checking from the "ground" side. The WhoIs listings changed 2-3 times before things settled down.

Posted by: Ag2000CO | December 17, 2008 1:31 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company