Several Attacks Behind CheckFree Data Breach

The cybercriminals who breached the CheckFree bill paying service last week used a combination attack that may be almost impossible to stop.

Visitors to the CheckFree site were redirected without their knowledge to a server in the Ukraine, where malware was automatically downloaded into their PCs, Amit Klein, chief technology officer at Trusteer, which protects desktops from malware and fraudulent Web sites, told InternetNews.com.

“The fact that it’s so easy to get hold of critical or enterprise assets such as credentials for a corporation’s DNS domain, Web servers, or firewall, is troubling,” Klein said. “Each credential lets you manage critical assets and makes it possible for attackers to control enough parts of your infrastructure to cause a mass infection of your own customers.”

The worst part is that so far, no one seems to know just what the malware does once it is installed on the victim’s computer. Stephan Chenette, manager, security research at Web filtering solution provider Websense, thinks it might be a password stealing Trojan.

Eventually enterprises may end up becoming the means for infecting a large portion of Internet users, Klein said. A similar attack compromised two Business Week sites earlier this year.

The CheckFree breach is especially troubling because its domain name host, Network Solutions, hosts the majority of financial institutions’ Web sites, Klein said.

Fiserv, the parent company of CheckFree, one of the largest online bill processors in the U.S., and Network Solutions, CheckFree’s domain name registrar, had not responded to requests for comment by press time.

Trusteer’s Klein said the attackers used a combination of phishing to get system administrator information to hijack the CheckFree site, pharming to remap the CheckFree site to the server in the Ukraine, and a drive-by malware injection into the PCs of all visitors to the site.

There’s more to come

One of the most high profile victims of such password-stealing Trojans this year was NASA’s International Space Station. “In 2009, attackers will use more and more password stealing Trojans and these will be looking for e-mail account and Web site credentials,” said Chenette.

“We will also see an increase in SQL injection attacks and greater use of targeted phishing attacks,” Chenette added. These targeted phishing attacks will provide attackers the necessary credentials to alter a Web site’s content and redirect unsuspecting users of some of the largest, most reputable and most trusted Web sites to their own sites.

The problem is difficult to solve because it involves user education, Chenette said. “Our research shows users aren’t patching their operating systems, browsers or applications as quickly as they should,” he explained. “There are multiple exploits out there which are over two years old and that are still highly successful.”

Another problem is that many desktop antivirus vendors are still focusing on viruses and malware and not on Web exploits, Chenette said. Even then, they are losing out to the bad guys. “In many cases, security companies are trying to keep pace with the virus writers,” he said.

“Users can protect themselves from malicious content, whether it’s a Web exploit or a virus, by updating their desktop antiviruses, browsers and browser plugins.”