Links
CheckFree BillPay DNS Hijacking
CheckFree’s online bill payment service suffered a DNS Hijacking Tuesday morning, December 2nd. This incident would have affected the bill-pay portion of any Internet banking application using CheckFree. Furthermore, users trying to visit CheckFree’s websites were redirected to a Ukranian IP address. This IP was serving up malware to anyone visiting the website. The exact nature of the malware is not known at this time, but could include Trojans, key loggers, bots or other drive-by downloads. The exact domain names being redirected are also not known, but could include mycheckfree.com, checkfreecorp.com and ebillplace.com.
A DNS Hijacking involves changing the registration record at the host registrar level and not an exploitation of CheckFree’s servers. With the information currently known, there is no evidence that CheckFree’s servers were compromised. Furthermore, any online banking websites using Checkfree’s services were also not compromised. The DNS records have been pointed back to the correct servers, but due to the nature of DNS, some servers on the Internet will have cached results pointing at the malicious IP. These cached records can last up to 48 hours. Fortunately, this IP address currently appears to be down.
Users accessing the websites using an SSL connection over HTTPS were given an “invalid certificate” warning. However, many users often bypass warning dialog boxes without reading them. So if a user bypassed the warning and visited the site, he would have been prompted to download and install an executable. If he ran the executable, he is infected with malware and should not log on to any financial or other critical websites using his PC until more information is known about the malware used. If any user feels his account password has been compromised, he should contact the institutions involved over the phone to change that password.
Related Links:
- The Register Article (http://www.theregister.co.uk/2008/12/03/checkfree_hijacked/)