[Infowarrior] - Hackers Hijacked Large E-Bill Payment Site

[Richard Forno]

Hackers Hijacked Large E-Bill Payment Site

http://voices.washingtonpost.com/securityfix/2008/12/hackers_hijacked_large_e-bill.html?hpid=sec-tech

Hackers on Tuesday hijacked the Web site CheckFree.com, one of the  
largest online bill payment companies, redirecting an unknown number  
of visitors to a Web address that tried to install malicious software  
on visitors' computers, the company said today.

The attack, first reported by The Register, a security news Web site,  
began in the early morning hours of Dec. 2, when Checkfree's home page  
and the customer login page were redirected to a server in the Ukraine.

CheckFree spokeswoman Melanie Tolley said users who visited the sites  
during the attack would have been redirected to a blank page that  
tried to install malware. Tolley added that CheckFree regained control  
over its site by 5 a.m. on Dec. 2. The company said it was still  
having the malware analyzed by experts.

"The degree of exposure to users is dependent on how current their  
anti-virus software is and what browser they used to connect with,"  
Tolley said, adding that the company will release more information  
about the attack as it becomes available.

But Paul Ferguson, a threat researcher with anti-virus firm Trend  
Micro, said Trend's analysis of the malware indicates that it is a new  
strain of Trojan horse program designed to steal user names and  
passwords.

It appears hackers were able to hijack the company's Web sites by  
stealing the user name and password needed to make account changes at  
the Web site of Network Solutions, CheckFree's domain registrar. Susan  
Wade, a spokeswoman for the Herndon, Va., based registrar, said that  
at around 12:30 a.m. Dec. 2, someone logged in using the company's  
credentials and changed the address of CheckFree's authoritative  
domain name system (DNS) servers to point CheckFree site visitors to  
the Internet address in the Ukraine. DNS servers serve as a kind of  
phone book for Internet traffic, translating human-friendly Web site  
names into numeric Internet addresses that are easier for computers to  
handle.

"Someone got access to [CheckFree's] account credentials and was able  
to log in," Wade said. "There was no breach in our system."

Among the 330 kinds of bills you can pay through CheckFree are  
military credit accounts, utility bills, insurance payments, mortgage  
and loan payments. Browsing through the first few letters of the  
company's alphabetized customer list reveals some big names, including  
Allegheny Power, Allstate Insurance AT&T, Bank of America, and  
Chrysler Financial. See the full list of companies here.

CheckFree's Tolley stressed that the attack occurred during off-peak  
hours when customer traffic to its Web site is typically low. Still,  
CheckFree has a huge customer base: The company claims that some 24.7  
million consumers initiate payments through its services.

CheckFree declined to say how many of its customers and companies it  
handles payments for may have been affected by the attack. But this  
thread over at an Ubuntu Linux mailing list suggests that U.S. Bank  
may also have been affected by this attack. U.S. Bank did not return  
calls seeking comment.