Network News

X My Profile
View More Activity

Digging Deeper Into the CheckFree Attack

The hijacking of the nation's largest e-bill payment system this week offers a glimpse of an attack that experts say is likely to become more common in 2009.

Atlanta based CheckFree acknowledged Wednesday that hackers had, for several hours, redirected visitors to its customer login page to a Web site in Ukraine that tried to install password-stealing software.

While this attack garnered few headlines, there are clues that suggest it may have affected a large number of people. CheckFree claims that more than 24 million people use its services. Avivah Litan, a fraud analyst with Gartner Inc., said CheckFree controls between 70 to 80 percent of the U.S. online bill pay market. Among the 330 kinds of bills consumers can pay through CheckFree are military credit accounts, utility bills, insurance payments, mortgage and loan payments.

A spokeswoman for Network Solutions, the Herndon, Va., domain registrar that CheckFree used to register its Web site name, told Security Fix Wednesday that someone had used the correct credentials needed to access and make changes to CheckFree's Web site records. Network Solutions stressed that the credentials were not stolen as a result of a breach of their system, suggesting that the user name and password needed to make changes to CheckFree's Web site could have been stolen either after a CheckFree employee's computer was infected with password-stealing malware, or an employee may have been tricked into giving those credentials away through a phishing scam.

There are several indications that the credentials may have been stolen through a phishing attack aimed at Network Solutions customers. Roughly one month ago, Network Solutions warned that phishers were trying to trick its customers into entering their Web site credentials at a fake Network Solutions Web site.

At about that same time, a similar phishing attack was spotted spoofing eNom, the second-largest domain name registrar, according to (Network Solutions has the fourth largest stable of domain names, data from RegistrarStats shows).

Interestingly, was not the only site that the attackers hijacked and redirected back to the Ukrainian server. Tacoma, Wash., based anti-phishing company Internet Identity found at least 71 other domains pointing to the same Ukranian address during that same time period. Of those, 69 were registered at either eNom or Network Solutions, and all appeared to be legitimate domains that had been hijacked.

Still, the phishing angle suggests that the attackers managed to phish not only an employee at CheckFree, but an employee who happened to know the credentials needed to administer the company's site records. This may seem like a logical stretch, and perhaps it is.


Regardless of how the credentials were stolen, however, the registrars remain an attractive target for cyber criminals, according to a sobering study (PDF) released this summer by a security advisory group to Internet Corporation for Assigned Names and Numbers (ICANN), which oversees domain registrars.

In an unrelated study conducted last year, Internet Identity examined some 12,305 domain names used by U.S. banks, and found that 70 percent of them were registered at a single domain registrar: Network Solutions.

In a note to Security Fix, Internet Identity President Rod Rasmussen said the 12,305 domains covers the entire banking industry plus select e-commerce and infrastructure providers, which is more like 30,000 institutions. He said the reason for the apparent disparity between those two numbers is that there are a large number of banks and credit unions that use third party platforms for their online banking.

"That means that those platform providers are especially tempting targets, as they have dozens or even hundreds of small financial institutions that they handle online banking and other transactions for," Rasmussen said. "Those small institutions have no control over the DNS for those platform providers so are completely dependent upon them to make sure their domains are secure. CheckFree would certainly fit into that platform provider category."

Gartner's Litan said this raises the question: What kind of security mechanisms are in place at Network Solutions to ensure that someone armed with the credentials for any of these Web sites can't simply redirect visitors to a malicious or counterfeit Web site? Perhaps other financial institutions have insisted on additional security measures, but all that was needed in this case to seize control over CheckFree's site was a single set of credentials.

"If all that's protecting a bank's Web site is a user name and password, that's kind of like having a massive vulnerability in the core of the Internet," Litan said. "This could have been a lot worse, and if they can do it to CheckFree, they can do it to other banks."

A spokesperson for Network Solutions declined to discuss what - if any - additional security measures the company has in place for bank Web sites. Likewise, CheckFree isn't saying much about the attack, except that it is implementing an aggressive outreach plan to help affected users assess their computers and clean the malicious software if their PCs have been infected. The company says it has begun notifying potentially affected users, and that those customers will receive complimentary McAfee anti-virus software and Deluxe ID Theft Block credit monitoring service.

"In addition, affected users will also have a special McAfee link to assess their computers to see if any viruses exist and if they do, will be provided a free clean up as well as complimentary updated antiviral software," CheckFree said in a statement. "We are working with our clients to provide this service."

CheckFree declined to answer any specific questions, such as how they know exactly how many and which customers may have been affected. Security Fix heard from a trusted source who claims to have had direct access to a log of visitors to the Ukrainian site during the hours that CheckFree's site was being redirected there. That source, who asked to remain anonymous so as not to compromise his role in the investigation, said the log indicates that at least 5,000 people were redirected to the Ukrainian site during the 4 and ½ hours of the attack early Tuesday morning. It is unclear whether that was a count of visitors whose systems were successfully infected with the malicious software the site was trying to foist, or whether it was a simple log of the number of visitors to the site.

The incident, however, highlights an attack that we are likely to see more frequently next year, said Panos Anastassiadis, chief executive at Cyveillance, a cyber intelligence company in Arlington, Va.

"This type of attack is going to come in a dozen flavors in the coming months," Anastassiadis said. "Registrars don't comprehend the layers of security they may be forced to put in place as a result."

By Brian Krebs  |  December 6, 2008; 1:58 PM ET
Categories:  Fraud , Latest Warnings , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Hackers Hijacked Large E-Bill Payment Site
Next: A Scary Twist in Malware Evil-ution


all that was needed in this case to seize control over CheckFree's site was a single set of credentials.

"If all that's protecting a bank's Web site is a user name and password, that's kind of like having a massive vulnerability in the core of the Internet,"

This is astounding - the idea that a single employee could give over the keys to the castle, especially under a phishing scheme.

Changing the domain registration should take at least three keys held by different individuals, and one of those should be a supervisor at the domain registrar. Probably another should be at a third party site.

It seems that the internet security experts are getting so sophisticated that they overlook simple vulnerabilities which seem secure because they've been around so long. What other similar weaknesses are waiting for someone to exploit them?

Posted by: j2hess | December 6, 2008 4:59 PM | Report abuse

Many of the weak points in on-line accounts are there because the company wants to make it "convenient" for the customer. But having your account stolen out from under you without your knowledge is hardly convenient.

For a company the size of CheckFree, being able to sign in at any time of the day or night and quickly change your domain settings can be much more of a burden than a convenience, as this shows. There should be a standard rule for large accounts that such requests are put on hold until a real person contacts another real person "out of band" (i.e. by phone) to verify the change. This should not be expensive, since I wouldn't expect it to happen very often.

At the very least, switching to certain other countries should put an automatic hold on the change.

Posted by: iMac77 | December 6, 2008 8:13 PM | Report abuse

I'm a checkfree customer, so I just got an email tonight from them about the breach. And their email is itself indistinguishable from a phishing attempt. It's sent with a return address of from some bulk mail company ( and includes an 877 number to call for information that has been newly registered to deal with this incident. And I got the email after their regular customer service number is closed for the night, so there's no way to verify that this random 877 number is actually going to a Checkfree representative.

Obviously they haven't learned anything from this

Posted by: AndyHat | December 7, 2008 1:55 AM | Report abuse

No one has yet mentioned another possibility, namely, bribes to obtain the info.

Spying these days does not only target government anymore, but wherever the loot can come from also.

Posted by: | December 8, 2008 5:39 AM | Report abuse

Download the free anti-phishing toolbar from netcraft at:
to protect yourself against such attacks.

Posted by: RichardMiller333 | December 8, 2008 8:20 AM | Report abuse

After reading this article I am going to download free so-called anti-phishing software from a company with which I am not familiar, as suggested by one of the posters? Golly, gee, sure thing!

Posted by: Sutter | December 8, 2008 9:43 AM | Report abuse

netcraft is legit, but don't take my word for it, do some research yourself. the web of trust firefox extension is also helpful.

Posted by: tipsytom | December 8, 2008 10:21 AM | Report abuse


They didn't need a single username and password to take control of the Checkfree's website as the hackers didn't touch the checkfree website.

What the hackers did was redirect traffic away from Checkfree's website. This is a weakness of the companies that sell the domain names as it seems it was easy to get the info to go in and change the DNS settings of Checkfree's domain name.

ICann (The group that gives companies the rights to resell domain names) needs to be more strict on who is selling domain names, the security they use etc! And companies like Checkfeee need to check on that also and move their domain names to more secure companies.

Most domain selling companies have this weak security though which is sad and scary.

Posted by: tymiles | December 8, 2008 10:36 AM | Report abuse

with firefox remembering my id and password, am i vulnerable to having them stolen upon signing in? oh, with a totally updated mac.

Posted by: jbmeyers | December 8, 2008 10:48 AM | Report abuse

I am shocked that Network Solutions doesn't offer an RSA-key authentication mode. Even if it's optional, it would save Check-Free and its siblings the type of trouble this has caused.

I am constantly amazed at the naivete of some IT folks. I deal with many different companies as a consultant and I encounter their security measures. Some are just Nazi's. Others act like they're security-conscious, but aren't really. Others just shut the door so tightly that their employees are hamstrung and end up finding ways around the security to get their jobs done. It must be a tougher job than I thought.

Posted by: JimFromIndy | December 8, 2008 10:57 AM | Report abuse

This is scary! And for a user not to know who NetCraft is, there number one reason for existing is to provide information on what web hosts are running:

But rather than a toolbar, why don't you just find out what your financial institution's IP addresses are (use cmd.exe and type nslookup and put those host names and IP addresses in your hosts file? That is what I advise and what I have done. Just be careful to check every week or so that they have not changed their IP addresses. So what that DNS redirected others to the Ukraine? I am still heading to the servers of my financial institutions because I have their IP addresses myself! This is just in case something like this or DNS cache server poisoning happens. That will do you inifinitely more good than a tool-bar to protect you from this nonsense.

iMac77, you have hit some of the sore spots. Also, some of this information should not be just entrusted to the whois DB, but be off-line at the registrar for the domain. Any attempt to change it should put an automatic hold on the change for all financial institutions and ring a bell (literally) for a human operator to see that attempted change and pick up the phone to dial another real human at the financial institution. Actually, the speed with which you can pick up a domain name needs to be slowed down and checking needs to be done. It is one of the weak spots for people like the ones that have done this that also come up with several hundred new infecting web sites per month and abandoning the ones they have to prompt me to finally just block the entire Russian and Chinese Top Level Domains.

BadDomains[i++] = ".cn"; // YOUR CHOICE - MalWare
BadDomains[i++] = ".ru"; // YOUR CHOICE - MalWare

Maybe I should add?

BadDomains[i++] = ".ua"; // YOUR CHOICE - Domain Exploits

I hope the people doling out the names put some deep thought into this because it has been a weak spot for years. This should never have happened and safe-guards need to be put into place to make sure it never happens again.

Posted by: hhhobbit | December 8, 2008 11:15 AM | Report abuse

Barn door open, horse missing....

Posted by: isenberg888 | December 8, 2008 11:36 AM | Report abuse

Great Scott!!

Before folks get too tied up in double-encrypted public key gobbledygook, here's a simple plan: pay attention to your email. The site administrator receives an email detailing any change to the registration information long before the change can be propagated across the DNS network. If an email comes to the designated email address from, somebody should probably pay attention to it. If the email cheerfully announces that "Your change has been processed and your web address has been redirected to a server in Transylvania", somebody should snap to attention somewhere. Blaming (or GoDaddy, or Network Solutions, or ICANN)seems a bit unfair. This is clearly a blown play by CheckFree's web administrator, easily fixed with a simple process fix. Put down the lawyers, sip a martini, relax...

Posted by: cherter | December 8, 2008 12:37 PM | Report abuse

It would be nice if the registrars actually took this problem seriously. It's not like major organizations haven't asked NetSol and other registrars to provide multi-factor and multi-factor/multi-person authentication for registry information before. Even prior to the hijack, there were requests to registrars for multi-factor authentication on registry accounts.

I have more security on my Paypal account than Network Solutions has on their Registrar accounts, how is that possible?

Come on NetSol, take some responsibility and FIX the problem.

Posted by: dc0de | December 8, 2008 12:54 PM | Report abuse

It would be nice if the registrars actually took this problem seriously. It's not like major organizations haven't asked NetSol and other registrars to provide multi-factor and multi-factor/multi-person authentication for registry information before. Even prior to the hijack, there were requests to registrars for multi-factor authentication on registry accounts.

I have more security on my Paypal account than Network Solutions has on their Registrar accounts, how is that possible?

Come on NetSol, take some responsibility and FIX the problem.

Posted by: dc0de | December 8, 2008 12:57 PM | Report abuse

I meant to include an important safety tip in the story, from CheckFree: The company says the Ukrainian site tried to hit visitors with exploits for flaws in Adobe Acrobat and Adobe Reader.

If you have not recently updated these titles on your machine, now would be an excellent time to take care of that. Or uninstall Adobe and go with an alternative like Foxit.

Posted by: BTKrebs | December 8, 2008 1:03 PM | Report abuse

Do anything on the 'Net and you leave an subpoenable trail of information.

Spend or otherwise transfer money on the 'Net and you will be hacked.

Keep valuable information, your medical records maybe, and it will be stolen.

The 'Net is a sieve...

Posted by: Roofelstoon | December 8, 2008 3:40 PM | Report abuse

Hard to believe the domain registrars are not using stronger authentication. This is a critical E-commerce vulnerability. Most companies have more secure remote access requirements.

Why hasn't ICANN mandated that the registrars use PKI certificates or some form of KeyFOB (either USB or RSA) to ensure only authorized computers and users have access to the domain records?

Posted by: siris | December 8, 2008 3:44 PM | Report abuse


I wouldn't be so quick to counsel relaxation on this. While monitoring e-mails seems to be a necessary component of a solution, I think it would be irresponsible to rely on that as the main line of defense for sites such as CheckFree.

I would summarize many of the posts here to say that what we need, at a minimum, is a two-option approach for protecting domain registration info. I have a domain that I use for personal applications. I don't have anywhere near the traffic that a site like CheckFree has, the data on my server is nowhere near as critical, and I have a dynamic IP address for my server. CheckFree and I should NOT be forced to use the same scheme to protect our domain registration information.

I think registrars should offer an option with a multi-factor approach that includes out-of-band positive confirmation of significant changes. As seldom as I expect CheckFree changes their server address, this should not be a burden. And people like me should not be forced to assume the same level of control for our non-critical servers with dynamic IP addresses. We can rely on the market to ensure that commercial web service entities choose the proper protection plan. If registrars offer high and low options, I don't think a site like CheckFree would fare too well if they chose the low option.

Posted by: mark51 | December 8, 2008 4:05 PM | Report abuse

When I signed up for a user account at my local newspaper they sent an email to my given address that had to be replied to within a certain time to activate the account. Why can't all the registrars send an email to the registered administrator stating that a change has been requested (and stating what the change is), and require a reply before the cange is effected?

Posted by: Ex-Fed | December 8, 2008 4:28 PM | Report abuse


E-mail addresses can be spoofed. There is no good reason IMO that an out of band mechanism such as a personal phone call with a token-supplied password should not be implemented for sites like CheckFree, where so much is at stake and the IP address almost never changes.

Posted by: mark51 | December 8, 2008 5:07 PM | Report abuse

There are 100 millions of registered domain names, and they change hands by the hundred thousands every day, far too much activity for every change to wait for a phone call or email confirmation.

I agree with the above poster who suggests a two-tiered approach - one cheap and quick for the masses, and one with special precautions for domains that require an extra layer of security.

For domain registrars, offering extra security is risky, because someone will hack it and then there is all the liability, court costs, and bad publicity, even if not the registrars fault. So it's a no-win for registrars to offer a special high security version.

Posted by: tjallen | December 8, 2008 5:13 PM | Report abuse

With OpenSRS, a different registrar, you can have your domain locked, which then requires the registrar to unlock the domain before you change name servers. It's just one more step, but I think Network Solutions allows you to unlock through the same interface you get when you log in, with presumably stolen login credentials, allowing "one-stop" changes. At least with OpenSRS, you have to contact your domain reseller to get the lock removed.

Posted by: webgrandma1 | December 8, 2008 5:23 PM | Report abuse


CUNA on Oct 8th put out an Alert to all Credit Unions that OTP display tokens such as RSA and others offer are not secure. OTP tokens are not the answer.

Posted by: mangelinovich | December 8, 2008 5:55 PM | Report abuse

Some people can still add and subtract and use checking accounts. They have calendars so they can be sure to pay bills on time. More work, but better than having worldwide distribution of you finances.

Posted by: whodathought | December 8, 2008 7:38 PM | Report abuse

Being a owner of a computer forensic consulting company I am amazed at the amount of laying the blame game here on the posts. For one if your computer had the appropriate security you would have been alerted about a redirection to a phishing site. I gather the base site has not patched the DNS flaw by what has been stated in the main text. It is important even for companies, and users to keep their computers up to date and secured.

This article reflects just how important security is on the internet and keeping your systems up to date is a major player in all this.

Posted by: greenarrow1 | December 8, 2008 10:12 PM | Report abuse

I received a notice from MyCheckFree to contact them concerning the possible ID loss... in my SPAM box.

The email, although proved legitamate after some investigating, contains just about every telltale sign of a SPAM/phishing mail:
- images coming from muplitple letter/number combo domains
- Sending domain that is not from the source site & does not resolve (
- no reverse lookup records
- website has no notice on the homepage
etc., etc., etc.

Are you kidding me?!!

This is ironic and inexcusible. I can't imagine a single junkmail filter that wouldn't grab this. The people who are at risk will never receive the notification. The only way to verify it was not a scam was to login to the site directly and notice the small email notification link.

Is this how a secure company deals with a security breach? By making an even bigger mistake that should be apparent to any IT team. This email reflects on their competence. I'm not sure which blunder is worse.

PS: For those technically interested in seeing how egregious the email is, here are the first few truncated lines lines in code form.
subj: Important Information Regarding Your Bill Pay Service
From: MyCheckFree Customer Care []

This message contains graphics. If you do not see the graphics, click here to view



December 7, 2008


Dear {name},

We take great care to keep your personal information secure...

Posted by: NY_IT | December 8, 2008 10:29 PM | Report abuse

Checkfree as you noted is attempting to make at least a token effort at amends by providing affected customers with additional malware detection and prevent tools.

Problem is, Macafee is having a when you try to use Checkfree's code to download Macafee's product, Macafee's website throws the error:

"Promotional code exceeds the value of product being purchased."

while their more expensive products throw the error:

"Promotional code can not be applied for product(s) being purchased."

I tried "tech support" but I must say, off-shored tech support continues to deteriorate...they surely bump into the limit of their technical and linguistics skills as well as the limit of their authority quickly.

Posted by: ibsteve2u | December 8, 2008 10:58 PM | Report abuse

@Greenarrow -- there are no signs at all that this attack had to do with the pervasive DNS flaw found and patched this summer.

Posted by: Brian Krebs | December 8, 2008 11:41 PM | Report abuse

Compromise networks or security systems. Compromise internal controls. Compromise greed. We at see this as the root to all illegal or criminal activities online.

Posted by: ScamFraudAlert | December 9, 2008 10:55 AM | Report abuse

The Institute for Cyber Security blog ( has an article on the CheckFree attack from their former CTO and CSO. They discuss the root cause, their analysis of the attack and its consequences, and what could have been/can be done differently for CheckFree and other companies.

Erhan Kartaltepe

Posted by: Erhan | December 9, 2008 11:20 AM | Report abuse

Before too many fingers get pointed at CheckFree and too many people say "Boy, were they stupid!", a good hard look at NSI's 'security' (*koff, koff*) and history. This kind of domain hijack is absolutely nothing new with NSI - it happens pretty much every single day and has been since they got the domain name contract back in 1993. I remember quite clearly writing emails to the Dept. of Commerce/NTIA complaining about NSI's lack-of security even back then. Heck, there were documented cases of people simply calling NSI on the phone, identifying themselves with the WHOIS info from a domain and 'jacking it.

Frankly, given the 15-year history of NSI's sloppiness (indemnified, of course, by their registry agreement) I wouldn't even blink if it were to come out that the hijackers essentially walked through NSI's proverbial open door to snatch the domains they did. Remember, the Internet had ICANN shoved down it's throat because of NSI's greed and incompetence...

"Online since spam was a meat product...."

Posted by: AnonTech | December 9, 2008 3:53 PM | Report abuse

Erhan, your link is invalid. Everybody else, please stop griping and take some of the responsibility yourself. Find your financial instituions IP adresses. Verify them with an IP whois at or some place else. Then open your hosts file and start putting stuff like this in it (and no snide remarks about the banks listed here - I just picked several of the big ones and yes these IP addresses are verified once again months after I first found and verified them):

# IP addresses valid 2008-12-10

Since Wells Fargo has two per each, pick one of them and try to be consistent. Now. When this domain transfer happens next time (and it probably will), I am still heading off to the right financial institution. So why don't you people stop whining about what somebody else is doing (or not doing) and do this simple step to protect yourself? It isn't esoteric, and it works. Yes, dumping your Windows OS and putting on Linux or buying a Macintosh will help as will doing some of the other stuff recommended here. But this advice was cross OS platform and nobody is doing it. Why aren't you doing it?

Posted by: hhhobbit | December 10, 2008 6:58 AM | Report abuse

@Greenarrow (and also Brian K.):

This was not a case of browsers redirected to the bogus page; the use of the word "redirect" throughout this article and subsequent comments is a bit misleading in that respect. The alterations to CheckFree's DNS means that any connection from a client's system to the hijacked domain went directly to the bogus site; the browser was not redirected there from some other, legitimate, site.

Conversationally, yes, things were "redirected," versus where they had been directed before (the real site); but a browser redirect is a specific response to an HTTP header field (or equivalent), and it is only that particular case that will prompt the browser's redirection warning.

Posted by: rhsimard | December 10, 2008 8:32 PM | Report abuse

What has been neglected to be mentioned in this massive hack is that the Malware only affects Microsoft Windows systems.
Linux and Mac OS's are immune to this type of crapware.
Still think Windows is so great now??
I sit on my stable, secure Ubuntu Linux box and simply laugh my a$$ off at things like this.....

Posted by: jen1963 | December 11, 2008 1:09 PM | Report abuse

With the email looking like spam, and going to their website and not seeing ANY mention of this, I searched further and found this article and a few others confirming what the mail stated.

So, I called the number provided and was told if I had McAfee I should be fine but that they were also offering 2 years of free credit monitoring though a company called "Alert Me". The address for this site requires submission of SSN, DL # and current and past addresses - everything someone would need for ID theft. Does anyone know if this is a legit business? Or is this all real?

Posted by: jojo16 | December 11, 2008 2:42 PM | Report abuse

It appears that accounts at Chevy Chase Bank where affected by Checkfree's problem should someone get fired for lack of security? How about the CIO's at Checkfree and Chevy Chase?

Posted by: sotiris | December 12, 2008 1:50 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company