CheckFree DNS Hijack

From Customer Email to Me
to:        rex
date:    Thu, Dec 11, 2008 at 11:20 AM
subject:    Fwd: Urgent: Bill Pay Service Information

Here is a copy of the email I was sent today.  Let me know if there is something I need to do relative to his and my computer

From: MyCheckFree Customer Service
To: :xoxoxoxoxo
Sent: Thu, 11 Dec 2008 12:00 am
Subject: Urgent: Bill Pay Service Information

You are receiving this message because you are a subscriber to online bill payment services through CheckFree or through a provider who contracts with CheckFree for these services. This message is sent on behalf of CheckFree by Silverpop Systems.

December 11, 2008


We take great care to keep your personal information secure. As part of these ongoing efforts, we are notifying you that the computer you use for online bill payment may have been exposed to software that puts the security of your computer’s contents at risk. This letter will help you determine if your computer is actually infected and advise you how to fix the problem and protect yourself against future risk.
The malicious software affects some but not all customers who accessed on line bill payment on Tuesday, December 2, 2008. For a limited period of time, some customers were redirected from the authentic bill payment service to another site that may have installed malicious software. Your computer may be infected if all of the following are true:

    * You attempted to access online bill payment between 12:30 a.m. and 10:10 a.m. Eastern time (GMT -5) on Tuesday, December 2, 2008, and
    * You were using a computer with the Windows operating system, and
    * You reached a blank screen rather than the usual bill payment screen when you attempted to navigate to online bill payment, and
    * After reaching the blank screen, your computer’s virus protection program did not tell you via pop-up or other messaging that malicious software was detected and quarantined.

If all four of the conditions above are true, your computer may be infected. We have partnered with McAfee®, the world’s largest dedicated security technology company, to provide you with a complimentary copy of its VirusScan® Plus software which, when installed, will detect, block and remove any malicious software from your computer hard drive. Please contact us at 877-800-4864 for further instructions or 800-564-9184 (Option 1) for further instructions. We will also offer you both advice and free services that can help you mitigate any risk you may face as a result of this incident or other everyday exposures you may encounter.
CheckFree will never ask for your password via email or via phone.  If you ever receive an email requesting your password, do not respond and delete the email immediately.

We value your business and your trust, and we apologize for any inconvenience this incident has caused.
Thank you,
Art D’Angelo
Vice President, CheckFree Customer Operations

My Response

Here is everything I could quickly research. It goes without saying to run a credit report on you and xoxoxo within the next 30 days just to be safe, and of course monitor your bank accounts, etc, which I’m sure you already are doing. I doubt you will have an issue, but better safe than sorry – and it can all be done online.

In easy tech terms, what happened was their DNS settings were modified which allowed attackers to temporarily redirect users to the malicious site. Fortunately, CheckFree is doing the right thing by informing all customers and being upfront about it, albeit a little late in the game.

More info on exploit:

We need to make sure that your anti-virus is up to date on yours and xoxoxox’s computer and run a scan. If you didn’t use your banks online bill pay or CheckFree’s site during the affected time, then you are also most likely safe.

Check for your bank or known bill recipients here:

If you both are primarily using Firefox then the chances of any problems are greatly reduced. First, Firefox would have warned of an invalid security certificate (SSL) during the redirect. Secondly, Firefox 3 has built-in phishing detection which would have probably warned of the redirect. Thirdly, Firefox doesn’t run ActiveX controls (bane of Internet Explorer security) so it wouldn’t have installed the software without prompting you to download something – unless the site also had a javascript exploit of some sort.

Here is what we can do to help prevent DNS exploits in the future. I can configure all of your computers to use the OpenDNS system/service which is free and works wonderfully. It takes less than 2 minutes to configure a computer and works in the background so it is totally transparent to the user.

You and everyone you know needs to be running Firefox and not Internet Explorer – I cannot stress this enough for security. Plus, you (and everyone you know) needs to follow some basic (and simple) security practices online.

As an added benefit, OpenDNS allows for filtering of content (porn, etc) on the network level. We can even block Myspace, etc, if we want. We will be adding this to the office network on my next trip out (probably tomorrow as we discussed), and we can add it to your home network. Again, the service is free except the time it takes me to set it up.

More information:

Lastly, remember that using online services is still very safe. As a matter of fact, in most cases it is safer that writing a check to a local merchant or handing your credit card to a convenience store clerk. Banking online and billpay online is still the best (and safest) way to go, and in this case CheckFree is alerting customers.