CheckFree, a major Internet bill payment site recently acquired by Fiserv had their customer sign in page DNS modified on Tuesday, resulting in users being redirected to a Ukranian malware site that attempted to infect users with a password theft trojan.
According to Brian Krebs' article about the incident, the root of the compromise was a DNS re-direct -
"It appears hackers were able to hijack the company's Web sites by stealing the user name and password needed to make account changes at the Web site of Network Solutions, CheckFree's domain registrar. Susan Wade, a spokeswoman for the Herndon, Va., based registrar, said that at around 12:30 a.m. Dec. 2, someone logged in using the company's credentials and changed the address of CheckFree's authoritative domain name system (DNS) servers to point CheckFree site visitors to the Internet address in the Ukraine."This of course indicates that a trusted users's credentials were phished. Interesting, according to Krebs, as many as 71 other sites were also re-directed, making this a reasonably large attack, and likely one that foreshadows a trend that we will see this year. With site security becoming greater, and more time spent on front facing web application security, phishing and compromise of DNS and hosting platforms is becoming more attractive.
Sadly, it took until today for CheckFree to notify customers in any detail via email, and CheckFree's customer email notes that the following conditions that might mean that users of their site were infected, but does not provide detailed information or a link for detail about the malware. Customers might be affected if:
- You attempted to access online bill payment between 12:30 a.m. and 10:10 a.m. Eastern time (GMT -5) on Tuesday, December 2, 2008, and
- You were using a computer with the Windows operating system, and
- You reached a blank screen rather than the usual bill payment screen when you attempted to navigate to online bill payment, and
- After reaching the blank screen, your computer's virus protection program did not tell you via pop-up or other messaging that malicious software was detected and quarantined.
For now, users who were affected will need to clean their systems, reset passwords, and to make sure that they are using better browser and system security to help prevent future compromises.