Network switch hubA lot of attention has been given to increasing awareness about phishing. The goal of phishing is to lure unsuspecting people to voluntarily give up their website credentials with the intent of exploiting those credentials for financial or other gain. Some phishing scams only seem to spam and propagate itself. Most web savvy users know not to trust emails that appear to be from his bank about a security breach including a link to log in to verify the account. But is that all one needs to know?

On December 16, 2008, I received an email from CheckFree, an online bill payment service, saying that my computer may have been exposed to malicious software putting my computer at risk. At first glance, I thought it was a phishing scheme but then noticed that my full name and address were included in the email. After reading the email again I realized what must have happened. Customers who tried to log into CheckFree’s bill payment service were redirected to a site that downloaded malware onto their computers. (Forgive me for being the high-technology crime investigation geek but I was intrigued by that redirection process (called pharming). I did a paper on phishing and pharming a few years ago but at that time there were no concrete examples of pharming.) Like phishing, pharming involves sending a user to fake websites that look like the actual site in an effort to get the user’s account credentials or other personal data, but with pharming the URL in the address bar will be that of the actual site making it difficult to identify it as a fake. In such a case you can’t trust your eyes or your browser.

Without looking further, the drive-by malware download would make it appear that CheckFree had been hacked, however, the criminals did not have to do that. Pharming instead involves gaining access to a websites domain registrar to point the website URL to a nefarious server. That is what happened here. Access to CheckFree’s account at Network Solutions was obtained by sending a phishing email to CheckFree’s system administrators. The Network Solutions account was then used to point the CheckFree.com domain to a server in the Ukraine.

In this attack, users received a blank page and a drive-by malware injection at CheckFree’s site. If the attackers had put up a login page instead we would probably be hearing about all kinds of suspicious payments right now. A login page would have affected more users: while the malware only affected Windows users, a login page would have affected users regardless of the operating system. We still don’t know how many customers were affected or what the malware does.

I was not affected outright by this attack for several reasons including that I stopped using the MyCheckFree.com branded bill payment service opting instead to use the one provided by my bank. The troubling thing about this, however, is that CheckFree is the largest bill payment provider in the United States. If you are using an online bill payment service provided by your bank, it is most likely a co-branded CheckFree service. What I have read about this pharming incident is suggests that only users of the MyCheckFree.com website were affected. But I do wonder if any of their other services could be affected by this attack. CheckFree has also started notifying customers who use their bill payment service through banks. In addition, I wonder if any payment information in transit could have been affected or accessed. I was a developer in the electronic payment group of a bank some time ago and I don’t quite remember if payment information between banks is sent via the domain address or an IP address but it’s a question worth asking. With the encryption and authentication schemes that they use that might not have been a problem but I haven’t seen it mentioned anywhere.

According to accounts I read, 5 million customers could have been affected by this attack. It is our job as customers to be vigilant in holding companies accountable for protecting our personal data. To it’s credit CheckFree is contacting customers and offering complementary virus scanning software. But is that enough? If the hacker had gained access to customers’ accounts, they would have access not just to bank accounts but also to creditor accounts. It’s hard to even imagine the amount of work to remedy those kind of consequences.

Photo credit: iStockPhoto

You might also be interested in:

Tags: , , , ,