CheckFree customers redirected to Ukraine site

Customers of CheckFree.com, an online bill paying site, were quietly redirected to servers in Ukraine early Tuesday morning, according to several reports.

Representatives of CheckFree told WashingtonPost.com that customers were redirected to a blank log-in page that attempted to install malware on the visiting PC. The company said it regained control at 5 a.m. EST Tuesday, so only customers using the site overnight were likely affected.

Mike Haro, senior security analyst at Sophos told CNET News, "The fact that they used a blank page to download a Trojan (not exactly subtle) says to me one of two things: a) they fell into these credentials and chose the fastest way to get something done, expecting the breach to be quickly detected; or b) they got more than we're being led to believe."

The Post also said someone was able to steal the user name and password to make account changes at CheckFree's domain registrar. The Domain Name System (DNS) takes the common name CheckFree.com and converts it to an online address; the criminals were able to change that online address to a server hosting malicious content.

CheckFree allows users to pay their utility bills, insurance payments, mortgage and loan payments along with 330 other kinds of bills electronically. The company declined to say how many of its customers may have been affected, according to the Post story.

CheckFree...stressed that the attack occurred during off-peak hours when customer traffic to its Web site is typically low. Still, CheckFree has a huge customer base: The company claims that some 24.7 million consumers initiate payments through its services.

Haro said: "I guess I'm less surprised that someone got access credentials, and more surprised at what they did--or didn't do--with that level of access." For example, he hasn't seen evidence the criminals have tried to extract money directly from the exposed accounts.

As of Thursday afternoon, representatives from CheckFree had not responded to CNET News' request for further comment.

[skswave]

Check Free should implement support for strong authentication using the Trusted Platform Module. With over 300 million units in the marketplace the TPM would eliminate this type of attack completely. The process is simple, the technology is simple now all we need is for check free to be interested in our security.
The TPM is a device that is on your motherboard and can generate unique secret keys for any service provider. These keys can be deleted from the TPM but can never be copied or moved. When the user supplies a PIN number, the TPM will use the keys to perform an authorization to log on. This is an open industry standard and can be used by any service provider.

Check Free is an example of a service provider who should take their customers interest into account and support new security technologies. The Reporters should begin asking why not.

Steven Sprague
CEO
Wave Systems Corp.

The Institute for Cyber Security blog (http://blog.ics.utsa.edu) has an article on the CheckFree attack from their former CTO and CSO. They discuss the root cause, their analysis of the attack and its consequences, and what could have been/can be done differently for CheckFree and other companies.