Online payment service CheckFree lost control of at least two of its domains on Tuesday in an attack that sent customers to servers run by a notorious crime gang believed to be based in Eastern Europe.
Reg reader Richard D. reported receiving a bogus secure sockets layer certificate when attempting to log in to his Mycheckfree.com account early Tuesday morning. On further examination, he discovered the site was mapping to 220.127.116.11. To confirm the redirection was an internet-wide problem, he checked the site using a server in another part of the US and got the same result.
“I managed to get through to a commercial customer support tech, and reported the problem,” Richard wrote in an email sent early Tuesday morning. “He was not aware of any problem.”
The account is consistent with results of passive DNS search queries such as this one from bfk.de. Spamhaus shows precisely the same thing here.
Security experts say the 18.104.22.168 IP address has long served as a conduit for online crime. Spamhaus offers this laundry list of alleged dirty deeds that includes running botnet command channels and various drive-by download sites. According to security researcher Paul Ferguson of anti-virus software provider Trend Micro, the IP address was recently observed handing off booby-trapped PDF files that infected those unfortunate enough to open them.
According to bfk.de, Spamhaus, and SpyNoMore, several other web addresses are also being redirected to that IP address, including phgainc.org, brachetti.com, and camouflageclothingonline.net.
It’s unclear how long checkfree.com and mycheckfree.com were redirected to the rogue servers or whether customers have been warned they may have been compromised. Representatives from CheckFree and its parent company Fiserv didn’t return a phone call and email requesting comment for this story. (We’ll be sure to update if they get back to us).
It’s also unclear how the culprits managed to hijack the domains. While security experts say DNS poisoning wasn’t out of the question, the more likely explanation is malicious transfer of the domains through their registrar. Indeed, whois records for both the addresses indicate they were updated sometime Tuesday.
That’s the same technique hackers used in May to hijack Comcast’s domain name and redirect confused users to a rogue site that bragged of the exploit for three hours.
No doubt, the hijacking of CheckFree seems to have caused some confusion among customers.
“I always pay my bills on the first of the month and I can’t get into your website to pay my bills and this will make them late,” one CheckFree customer complained here . “You COULDN’T pick a better time to update your website. LOUSY MANAGEMENT on your part.”
Source : The Register