Digging Deeper Into The CheckFree Attack

WASHINGTON, DC -- The hijacking of the nation's largest e-bill payment system this week offers a glimpse of an attack that experts say is likely to become more common in 2009.

Atlanta based CheckFree acknowledged Wednesday that hackers had, for several hours, redirected visitors to its customer login page to a Web site in Ukraine that tried to install password-stealing software.

While this attack garnered few headlines, there are clues that suggest it may have affected a large number of people. CheckFree claims that more than 24 million people use its services.

Avivah Litan, a fraud analyst with Gartner Inc., said CheckFree controls between 70 to 80 percent of the U.S. online bill pay market. Among the 330 kinds of bills consumers can pay through CheckFree are military credit accounts, utility bills, insurance payments, mortgage and loan payments.

A spokeswoman for Network Solutions, the Herndon, Va., domain registrar that CheckFree used to register its Web site name, told Security Fix Wednesday that someone had used the correct credentials needed to access and make changes to CheckFree's Web site records.

Network Solutions stressed that the credentials were not stolen as a result of a breach of their system, suggesting that the user name and password needed to make changes to CheckFree's Web site could have been stolen either after a CheckFree employee's computer was infected with password-stealing malware, or an employee may have been tricked into giving those credentials away through a phishing scam.

There are several indications that the credentials may have been stolen through a phishing attack aimed at Network Solutions customers. Roughly one month ago, Network Solutions warned that phishers were trying to trick its customers into entering their Web site credentials at a fake Network Solutions Web site.

At about that same time, a similar phishing attack was spotted spoofing eNom, the second-largest domain name registrar, according to registrarstats.com (Network Solutions has the fourth largest stable of domain names, data from RegistrarStats shows).

Interestingly, CheckFree.com was not the only site that the attackers hijacked and redirected back to the Ukrainian server. Tacoma, Wash., based anti-phishing company Internet Identity found at least 71 other domains pointing to the same Ukranian address during that same time period. Of those, 69 were registered at either eNom or Network Solutions, and all appeared to be legitimate domains that had been hijacked.

Still, the phishing angle suggests that the attackers managed to phish not only an employee at CheckFree, but an employee who happened to know the credentials needed to administer the company's site records. This may seem like a logical stretch, and perhaps it is.

Regardless of how the credentials were stolen, however, the registrars remain an attractive target for cyber criminals, according to a sobering study (PDF) released this summer by a security advisory group to Internet Corporation for Assigned Names and Numbers (ICANN), which oversees domain registrars.

In an unrelated study conducted last year, Internet Identity examined some 12,305 domain names used by U.S. banks, and found that 70 percent of them were registered at a single domain registrar: Network Solutions.

In a note to Security Fix, Internet Identity President Rod Rasmussen said the 12,305 domains covers the entire banking industry plus select e-commerce and infrastructure providers, which is more like 30,000 institutions.

He said the reason for the apparent disparity between those two numbers is that there are a large number of banks and credit unions that use third party platforms for their online banking.

"That means that those platform providers are especially tempting targets, as they have dozens or even hundreds of small financial institutions that they handle online banking and other transactions for," Rasmussen said. "Those small institutions have no control over the DNS for those platform providers so are completely dependent upon them to make sure their domains are secure. CheckFree would certainly fit into that platform provider category."

Gartner's Litan said this raises the question: What kind of security mechanisms are in place at Network Solutions to ensure that someone armed with the credentials for any of these Web sites can't simply redirect visitors to a malicious or counterfeit Web site?

Perhaps other financial institutions have insisted on additional security measures, but all that was needed in this case to seize control over CheckFree's site was a single set of credentials.

"If all that's protecting a bank's Web site is a user name and password, that's kind of like having a massive vulnerability in the core of the Internet," Litan said. "This could have been a lot worse, and if they can do it to CheckFree, they can do it to other banks."

A spokesperson for Network Solutions declined to discuss what - if any - additional security measures the company has in place for bank Web sites.

Likewise, CheckFree isn't saying much about the attack, except that it is implementing an aggressive outreach plan to help affected users assess their computers and clean the malicious software if their PCs have been infected.

The company says it has begun notifying potentially affected users, and that those customers will receive complimentary McAfee anti-virus software and Deluxe ID Theft Block credit monitoring service.

"In addition, affected users will also have a special McAfee link to assess their computers to see if any viruses exist and if they do, will be provided a free clean up as well as complimentary updated antiviral software," CheckFree said in a statement. "We are working with our clients to provide this service."

CheckFree declined to answer any specific questions, such as how they know exactly how many and which customers may have been affected. Security Fix heard from a trusted source who claims to have had direct access to a log of visitors to the Ukrainian site during the hours that CheckFree's site was being redirected there.

That source, who asked to remain anonymous so as not to compromise his role in the investigation, said the log indicates that at least 5,000 people were redirected to the Ukrainian site during the 4 and ½ hours of the attack early Tuesday morning.

It is unclear whether that was a count of visitors whose systems were successfully infected with the malicious software the site was trying to foist, or whether it was a simple log of the number of visitors to the site.

The incident, however, highlights an attack that we are likely to see more frequently next year, said Panos Anastassiadis, chief executive at Cyveillance, a cyber intelligence company in Arlington, Va.

"This type of attack is going to come in a dozen flavors in the coming months," Anastassiadis said. "Registrars don't comprehend the layers of security they may be forced to put in place as a result."

Source: Washington Post