Hackers Hijacked Large E-Bill Payment Site

Hackers on Tuesday hijacked the Web site CheckFree.com, one of the largest online bill payment companies, redirecting an unknown number of visitors to a Web address that tried to install malicious software on visitors' computers, the company said today.

The attack, first reported by The Register, a security news Web site, began in the early morning hours of Dec. 2, when Checkfree's home page and the customer login page were redirected to a server in the Ukraine.

CheckFree spokeswoman Melanie Tolley said users who visited the sites during the attack would have been redirected to a blank page that tried to install malware. Tolley added that CheckFree regained control over its site by 5 a.m. on Dec. 2. The company said it was still having the malware analyzed by experts.

"The degree of exposure to users is dependent on how current their anti-virus software is and what browser they used to connect with," Tolley said, adding that the company will release more information about the attack as it becomes available.

But Paul Ferguson, a threat researcher with anti-virus firm Trend Micro, said Trend's analysis of the malware indicates that it is a new strain of Trojan horse program designed to steal user names and passwords.

It appears hackers were able to hijack the company's Web sites by stealing the user name and password needed to make account changes at the Web site of Network Solutions, CheckFree's domain registrar. Susan Wade, a spokeswoman for the Herndon, Va., based registrar, said that at around 12:30 a.m. Dec. 2, someone logged in using the company's credentials and changed the address of CheckFree's authoritative domain name system (DNS) servers to point CheckFree site visitors to the Internet address in the Ukraine. DNS servers serve as a kind of phone book for Internet traffic, translating human-friendly Web site names into numeric Internet addresses that are easier for computers to handle.

"Someone got access to [CheckFree's] account credentials and was able to log in," Wade said. "There was no breach in our system."

Among the 330 kinds of bills you can pay through CheckFree are military credit accounts, utility bills, insurance payments, mortgage and loan payments. Browsing through the first few letters of the company's alphabetized customer list reveals some big names, including Allegheny Power, Allstate Insurance AT&T, Bank of America, and Chrysler Financial. See the full list of companies here.

CheckFree's Tolley stressed that the attack occurred during off-peak hours when customer traffic to its Web site is typically low. Still, CheckFree has a huge customer base: The company claims that some 24.7 million consumers initiate payments through its services.

CheckFree declined to say how many of its customers and companies it handles payments for may have been affected by the attack. But this thread over at an Ubuntu Linux mailing list suggests that U.S. Bank may also have been affected by this attack. U.S. Bank did not return calls seeking comment.

Update, Dec. 6, 2:11 p.m. ET:: For more on this developing story, please see the post Security Fix published today, Digging Deeper Into the CheckFree Attack.