Feeds

Online payment site hijacked by notorious crime gang

Your good name, our rogue servers

  • alert
  • submit to reddit

The Power of One eBook: Top reasons to choose HP BladeSystem

Updated Online payment service CheckFree lost control of at least two of its domains on Tuesday in an attack that sent customers to servers run by a notorious crime gang believed to be based in Eastern Europe.

Reg reader Richard D. reported receiving a bogus secure sockets layer certificate when attempting to log in to his Mycheckfree.com account early Tuesday morning. On further examination, he discovered the site was mapping to 91.203.92.63. To confirm the redirection was an internet-wide problem, he checked the site using a server in another part of the US and got the same result.

"I managed to get through to a commercial customer support tech, and reported the problem," Richard wrote in an email sent early Tuesday morning. "He was not aware of any problem."

The account is consistent with results of passive DNS search queries such as this one from bfk.de. Spamhaus shows precisely the same thing here.

Security experts say the 91.203.92.63 IP address has long served as a conduit for online crime. Spamhaus offers this laundry list of alleged dirty deeds that includes running botnet command channels and various drive-by download sites. According to security researcher Paul Ferguson of anti-virus software provider Trend Micro, the IP address was recently observed handing off booby-trapped PDF files that infected those unfortunate enough to open them.

According to bfk.de, Spamhaus, and SpyNoMore, several other web addresses are also being redirected to that IP address, including phgainc.org, brachetti.com, and camouflageclothingonline.net.

It's unclear how long checkfree.com and mycheckfree.com were redirected to the rogue servers or whether customers have been warned they may have been compromised. CheckFree spokeswoman Melanie M. Tolley declined to provide details except to say that the company took steps to correct the hijacking at about 8 a.m. California time on Tuesday. The impostor website was shut down about five hours later, she said.

Company employees are in the process of warning customers that they may have visited a malicious website masquerading as CheckFree.

"It is taking time to determine exactly what type of malware we might be dealing with but we are currently working on a program update that provides information to the customers about the incident and maintenance tips recommending that all of our users run scans with Symantec's scan utility, and install the latest patches for Adobe Reader, as well as make a regular practice of keeping their computer updated with the latest anti-virus software," Tolley wrote in an email.

"The important thing for our users to know is that the issue is now resolved and we are doing everything we can to mitigate risk."

She declined to say how many users CheckFree has, but she called the service "the leader in electronic billing and payment" that has "processed hundreds of millions of payments reliably since launching this business in 1981."

It's also unclear how the culprits managed to hijack the domains. While security experts say DNS poisoning wasn't out of the question, the more likely explanation is malicious transfer of the domains through their registrar. Indeed, whois records for both the addresses indicate they were updated sometime Tuesday.

That's the same technique hackers used in May to hijack Comcast's domain name and redirect confused users to a rogue site that bragged of the exploit for three hours.

No doubt, the hijacking of CheckFree seems to have caused some confusion among customers.

"I always pay my bills on the first of the month and I can't get into your website to pay my bills and this will make them late," one CheckFree customer complained here . "You COULDN'T pick a better time to update your website. LOUSY MANAGEMENT on your part." ®

This story was updated 3rd December 2008 23:16.

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.