It was revealed earlier in the week that hackers had taken command and control of a free e-bill Web site called CheckFree.com. CheckFree offers their customers the ability to collect all their bills and pay them with a few clicks of a mouse.
CheckFree is one the larger companies in e-payment business and serves about 24.7 million customers. Given this, there is little doubt they have a large amount of personal and financial data passing through their site.
The hacking method appeared to be a little less than sophisticated. Someone stole the username and password to the site and put in changes that directed users to a page that installs malware on the user's machine. This was done by changing the address in CheckFree.com's domain name system (DNS) to redirect visitors to an Internet address in the Ukraine. Although CheckFree is still analyzing the malware, Brian Krebs at the Washington Post was able to quote Trend Micro as saying the malware was designed to steal user credentials.
The registrar, Network Solutions, was quick to claim there had been no breach of their system. At this point in the game — since no one knows or is saying – my guess is that this statement probably means there was one that they don't know of at this time. Network Solutions did warn their customers about a phishing attack on their customers about a month ago. This has led to speculation that the credentials were stolen by information-stealing malware, or by social engineering (someone being tricked into giving them up).
The Washington Post story also mentions that U.S. Bank might have been affected by this attack, but isn't commenting. In a subsequent post in Security Fix (Washington Post), Brian Krebs noted that Internet security firm known as Internet Identity reported that 71 other domains were pointed at the Ukrainian domain in question during the attack.
Thus far, about 5,000 victims have been identified. As in the past, instances where identities were compromised are being offered free identity theft protection for their unfortunate circumstance.
I decided to look at the CheckFree site itself. The reason I did this is because whenever I see the word "free," especially in cyberspace, I've learned to be wary.
According to CheckFree.com, everything is free on their site except for fees charged for the use of credit cards and emergency (rush payments). On the site, they publish in bold phrases like "one easy," "secure location," "no charge," and "100% guarantee."
They even run an ad for FreeCreditReport.com on the main page of their site. Although I have to admit that the guitar dude FreeCreditReport.com uses on their ad is pleasing to the eye, the catch is that you automatically sign up for a service that charges you $14.95 a month. You can get around this by cancelling within the first seven days. If you read the fine print disclaimer on FreeCreditReport.com, it says, "ConsumerInfo.com, Inc. and FreeCreditReport.com are not affiliated with the annual free credit report program. Under a new Federal law, you have the right to receive a free copy of your credit report once every 12 months from each of the three nationwide consumer reporting companies. To request your free annual report under that law, you must go to http://www.annualcreditreport.com/." Most experts agree that a person can do the same thing these services offer for free and that most of them do not protect from all forms of identity theft.
I got a little off-track with the FreeCreditReport.com ad, but it amazes me how few people read the small print on guarantees. Because of this, I decided to check out some of the small print on the CheckFree site.