Network News

X My Profile
View More Activity

Hackers Hijacked Large E-Bill Payment Site

Hackers on Tuesday hijacked the Web site CheckFree.com, one of the largest online bill payment companies, redirecting an unknown number of visitors to a Web address that tried to install malicious software on visitors' computers, the company said today.

The attack, first reported by The Register, a security news Web site, began in the early morning hours of Dec. 2, when Checkfree's home page and the customer login page were redirected to a server in the Ukraine.

CheckFree spokeswoman Melanie Tolley said users who visited the sites during the attack would have been redirected to a blank page that tried to install malware. Tolley added that CheckFree regained control over its site by 5 a.m. on Dec. 2. The company said it was still having the malware analyzed by experts.

"The degree of exposure to users is dependent on how current their anti-virus software is and what browser they used to connect with," Tolley said, adding that the company will release more information about the attack as it becomes available.

But Paul Ferguson, a threat researcher with anti-virus firm Trend Micro, said Trend's analysis of the malware indicates that it is a new strain of Trojan horse program designed to steal user names and passwords.

It appears hackers were able to hijack the company's Web sites by stealing the user name and password needed to make account changes at the Web site of Network Solutions, CheckFree's domain registrar. Susan Wade, a spokeswoman for the Herndon, Va., based registrar, said that at around 12:30 a.m. Dec. 2, someone logged in using the company's credentials and changed the address of CheckFree's authoritative domain name system (DNS) servers to point CheckFree site visitors to the Internet address in the Ukraine. DNS servers serve as a kind of phone book for Internet traffic, translating human-friendly Web site names into numeric Internet addresses that are easier for computers to handle.

"Someone got access to [CheckFree's] account credentials and was able to log in," Wade said. "There was no breach in our system."

Among the 330 kinds of bills you can pay through CheckFree are military credit accounts, utility bills, insurance payments, mortgage and loan payments. Browsing through the first few letters of the company's alphabetized customer list reveals some big names, including Allegheny Power, Allstate Insurance AT&T, Bank of America, and Chrysler Financial. See the full list of companies here.

CheckFree's Tolley stressed that the attack occurred during off-peak hours when customer traffic to its Web site is typically low. Still, CheckFree has a huge customer base: The company claims that some 24.7 million consumers initiate payments through its services.

CheckFree declined to say how many of its customers and companies it handles payments for may have been affected by the attack. But this thread over at an Ubuntu Linux mailing list suggests that U.S. Bank may also have been affected by this attack. U.S. Bank did not return calls seeking comment.

Update, Dec. 6, 2:11 p.m. ET:: For more on this developing story, please see the post Security Fix published today, Digging Deeper Into the CheckFree Attack.

By Brian Krebs  |  December 3, 2008; 5:49 PM ET
Categories:  Fraud , Latest Warnings , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Court Rules Against Teacher in MySpace 'Drunken Pirate' Case
Next: Digging Deeper Into the CheckFree Attack

Comments

It's sad that Network Solutions doesn't have any two factor solutions for the modifications of their domains. After the Comcast.net debacle in May of 2008, Network Solutions remains a weak registrar, and declines any customer requests for more security to prevent this exact type of domain hijacking.

Worthy of note, there were three other companies also hijacked at the same time.

Posted by: dc0de | December 3, 2008 7:17 PM | Report abuse

all these companies use non American workers, h1b and outsourcing to develop their systems...
is there any question how these sites get hacked?...
hire Americans in America and these problems will disappear...
the laws in America protect information and punish people who give confidential information to hackers...

Posted by: DwightCollins | December 4, 2008 9:12 AM | Report abuse

Sounds like Kaminsky's chickens are coming home to roost. (Google 'Kaminsky' and 'DNS' to see what that means.)

Posted by: not_fifty | December 4, 2008 10:22 AM | Report abuse

Yes Dwight. Because americans would never screw over someone for money right? We are so morally superior that the thought would never cross our minds. I bet you think this financial crisis is just bad luck or maybe some foreigners did it. Its certainly not the fault of greedy americans on wall st.

Posted by: nperazich | December 4, 2008 12:05 PM | Report abuse

& as Kaminsky said, it's only the tip of this iceberg!

Posted by: phoenix3 | December 4, 2008 12:46 PM | Report abuse

DwightCollins commented ".....the laws in America protect information and punish people who give confidential information to hackers..."

Really ? Perhaps job outsourced by an American corporation out to cut costs and increase profit? That is how globalization works. As the saying goes "You cannot eat your cake and have it too".

Posted by: probashi | December 4, 2008 1:03 PM | Report abuse

This is why you should do your daily surfing using a limited user account.

That would have been the only real defense if the Ukraine malware exploited an unpatched browser hole or was missed by anti-virus/anti-spyware software.

Posted by: taskforceken | December 4, 2008 3:32 PM | Report abuse

Here we go with the India lobby pounding Dwight. So predictable.

There are security issues and violations everywhere, human nature being what it is. Is it an issue when you outsource to foreign countries? Probably. We have less control over outsourced foreign help than domestic employees.

Domestic violators can be more easily brought to heel by our justice system.

Its nice of American companies to save costs by outsourcing. But they depend on their consumers for their business income. There won't be much income if many are outsourced and unemployed.

What you pay an employee will mostly be spent here cycling continually throughout the economy (with the government usually getting a cut of each transaction).

Posted by: MikeOLeary | December 4, 2008 3:36 PM | Report abuse

Technically speaking, this was not the Kaminsky DNS bug that enabled the site to be hijacked; it was a breach of Checkfree's account credentials at Network Solutions (the root attack vector of which is unreported here). This allowed the attacker to change the actual DNS records in NetSol's database - which holds the domain-to-IP-address mappings of every domain ending in .com - to point Checkfree's users to servers he controlled. There was no "hack" involved beyond the initial breach into the NetSol system.

Posted by: cwoodfield | December 4, 2008 4:59 PM | Report abuse

nperazich _Actually, there are thousands of active cases of espionage, directly traceable to the H1-B workers we have here. Look, since 2003, the number of H1-B visas has exceeded by a factor of 2 -to 3 to 1 the number of new hi-tech job openings. The result has been job losses by more than 3 million U.S. workers, more than double the number of jobs that we are so worried about that we will throw $34 billion at the automotive companies, and every single one of those jobs lost is the fault of the Democrats that passed that stupid, treasonous H1-B visa into law. The Democratic platform was in opposition to outsourcing and H1-B visas. Obama ran a campaign in opposition to the free trade fiasco and promised to put an end to it. Once elected, the swine ponied up to the corporate feed trough and their campaign promises were conveniently forgotten.

The H1-B visa is a security nightmare. SO is outsourcing. *MOST* cases of identity theft have been traced to offshore databases in India. Indian gangs have stolen plans for much of our most sensitive defense technology, plans for night vision equipment, the B1 and B2 bomber, nuclear power and weapons technologies, our stealth fighter, even our latest field missiles and all of this has been sold on the world market. It's a free for all and a dangerous one. Supporters of the H1-B visa and it's twisted sister the L-1 are the lowest form of scum imaginable, worse than the Wall Street criminals, and it's time to call an end to their taxpayer greased path to wealth.

Posted by: mibrooks27 | December 4, 2008 6:50 PM | Report abuse

@Cwoodfield -- "it was a breach of Checkfree's account credentials at Network Solutions (the root attack vector of which is unreported here). This allowed the attacker to change the actual DNS records in NetSol's database..."

Come again?

This was reported in the story:

"It appears hackers were able to hijack the company's Web sites by stealing the user name and password needed to make account changes at the Web site of Network Solutions, CheckFree's domain registrar. Susan Wade, a spokeswoman for the Herndon, Va., based registrar, said that at around 12:30 a.m. Dec. 2, someone logged in using the company's credentials and changed the address of CheckFree's authoritative domain name system (DNS) servers to point CheckFree site visitors to the Internet address in the Ukraine. DNS servers serve as a kind of phone book for Internet traffic, translating human-friendly Web site names into numeric Internet addresses that are easier for computers to handle.

"Someone got access to [CheckFree's] account credentials and was able to log in," Wade said. "There was no breach in our system."

Posted by: Brian Krebs | December 4, 2008 9:01 PM | Report abuse

A lot of people who posted comments didn't read the article carefully to understand what the attack was.

Once again, it is as plain and simple as this: it was the Checkfree's NETWORK SOLUTION ACCOUNT THAT WAS COMPROMISED, allowing the hacker(s) to point www.checkfree.com (or checkfree.com) to the IP address of their own Web server.

Said taskforceken: "This is why you should do your daily surfing using a limited user account.

That would have been the only real defense if the Ukraine malware exploited an unpatched browser hole or was missed by anti-virus/anti-spyware software."

Wow, where did you pull that from? This attack has nothing to do with the end users.

Posted by: LostInsideTheBeltway | December 4, 2008 11:19 PM | Report abuse

LostInsideTheBeltway fails to realize that the Checkfree personnel are the "end users" whose computer was compromised and account information stolen.

Posted by: frantaylor | December 5, 2008 1:21 AM | Report abuse

People who don't read the article before commenting really do come off looking stupid.

End users got malware installed.

Why Network Solutions (there's an oxymoron for you) stubbornly refuses to make their system any more secure than one single password is beyond me.

If I had a domain -- let alone a domain used for *banking* for heaven's sake -- I'd never use them.

WhatNext?

Posted by: WhatNext | December 5, 2008 3:20 AM | Report abuse

People get malware from many sites. Take for example this large network of scammer sites. Not only do they harvest credit card information, they also distribute trojan infected software according to one customer:

http://digg.com/security/Scammer_sites_harvesting_credit_cards_Google_does_nothing

Posted by: brberry | December 5, 2008 4:37 AM | Report abuse

Too many worry about outsourcing harming security, but it is far more chilling. As more and more US companies outsource, America has less and less to trade for our dollars. With US workers making far less, few can afford US made products and that is killing what is left.

Outsourcing is a good way top leave the USA as a third world nation with no jobs and not enough to eat! I am not against using outside labor, but I am against sweat shops and child labor replacing good paying jobs.

Posted by: as901 | December 5, 2008 7:47 AM | Report abuse

The internet is a scary place, but there ARE ways to easily defeat these sorts of malicious acts.
- Upgrade to the latest browsers and encourage critical websites to use Extended Validation (EV)SSL certs

- Demand 2 FACTOR AUTHENTICATION

- make sure your anti virus software is up to date!

Don't stick your head in the sand, protect yourself NOW.

Posted by: WakeUpAmerica4 | December 5, 2008 10:41 AM | Report abuse

CheckFree, NetSol, and bill pay users all could have done more to protect themselves. CheckFree - protect/encrypt your stinking passwords and use a registrar that takes security seriously. Network Solutions - protect your clients better by using MFA or secondary validations when performing major changes. Bill pay users - don't use an administrator account to browse the Internet.

Posted by: muskratinator | December 5, 2008 12:46 PM | Report abuse

Amateurs. If I was a black hat, I'd make a copy of the original site's entry page on my server, so the customer logs into my server thinking he logs into the company, and my server would take record of login and password and HTTP-REDIRECT them to the original
website, so nobody would ever notice
anything unusual for at least a month. And I'd have a monthful of user logins, passwords, and other data I'd scrape from their acounts on the site using the stolen passwords.

Posted by: muskratinator | December 5, 2008 2:58 PM | Report abuse

There was an incredible article in Dec 2008's WIRED magazine about a security flaw in the internet that would enable a hacker to get control of a DNS server by tricking it into sending information to a fake page location.
This all unfolded in 2005-2006 but some servers were reluctant to implement the fix. I tried to pay a site using Check-Free on Dec 3rd but couldn't get it to work.

Posted by: ravinggimp | December 5, 2008 7:08 PM | Report abuse

Network Solutions? Ain't that the fly-by-night CYBER-SQUATTER outfit?

Posted by: KeithWarner | December 6, 2008 12:20 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company