CheckFree customers redirected to Ukraine site

Site's domain registration was changed to point to a server hosting malicious downloads in the early morning hours Tuesday, according to reports.

Robert Vamosi Former Editor
As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.
Robert Vamosi
2 min read

Customers of CheckFree.com, an online bill paying site, were quietly redirected to servers in Ukraine early Tuesday morning, according to several reports.

Representatives of CheckFree told WashingtonPost.com that customers were redirected to a blank log-in page that attempted to install malware on the visiting PC. The company said it regained control at 5 a.m. EST Tuesday, so only customers using the site overnight were likely affected.

Mike Haro, senior security analyst at Sophos told CNET News, "The fact that they used a blank page to download a Trojan (not exactly subtle) says to me one of two things: a) they fell into these credentials and chose the fastest way to get something done, expecting the breach to be quickly detected; or b) they got more than we're being led to believe."

The Post also said someone was able to steal the user name and password to make account changes at CheckFree's domain registrar. The Domain Name System (DNS) takes the common name CheckFree.com and converts it to an online address; the criminals were able to change that online address to a server hosting malicious content.

CheckFree allows users to pay their utility bills, insurance payments, mortgage and loan payments along with 330 other kinds of bills electronically. The company declined to say how many of its customers may have been affected, according to the Post story.

CheckFree...stressed that the attack occurred during off-peak hours when customer traffic to its Web site is typically low. Still, CheckFree has a huge customer base: The company claims that some 24.7 million consumers initiate payments through its services.

Haro said: "I guess I'm less surprised that someone got access credentials, and more surprised at what they did--or didn't do--with that level of access." For example, he hasn't seen evidence the criminals have tried to extract money directly from the exposed accounts.

As of Thursday afternoon, representatives from CheckFree had not responded to CNET News' request for further comment.