The cybercriminals who breached the CheckFree bill paying service last week used a combination attack that may be almost impossible to stop.
Visitors to the CheckFree site were redirected without their knowledge to a server in the Ukraine, where malware was automatically downloaded into their PCs, Amit Klein, chief technology officer at Trusteer, which protects desktops from malware and fraudulent Web sites, told InternetNews.com.
"The fact that it's so easy to get hold of critical or enterprise assets such as credentials for a corporation's DNS domain, Web servers, or firewall, is troubling," Klein said. "Each credential lets you manage critical assets and makes it possible for attackers to control enough parts of your infrastructure to cause a mass infection of your own customers."https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=iThe worst part is that so far, no one seems to know just what the malware does once it is installed on the victim's computer. Stephan Chenette, manager, security research at Web filtering solution provider Websense, thinks it might be a password-stealing Trojan.
Eventually enterprises may end up becoming the means for infecting a large portion of Internet users, Klein said. A similar attack compromised two Business Week sites earlier this year.
The CheckFree breach is especially troubling because its domain name host, Network Solutions, hosts the majority of financial institutions' Web sites, Klein said.
Fiserv, the parent company of CheckFree, one of the largest online bill processors in the U.S., and Network Solutions, CheckFree's domain name registrar, had not responded to requests for comment by press time.
Trusteer's Klein said the attackers used a combination of phishing (define) to get system administrator information to hijack the CheckFree site, pharming (define) to remap the CheckFree site to the server in the Ukraine, and a drive-by malware injection into the PCs of all visitors to the site.
There's more to come
One of the most high profile victims of such password-stealing Trojans this year was NASA's International Space Station. "In 2009, attackers will use more and more password stealing Trojans and these will be looking for e-mail account and Web site credentials," said Chenette.
"We will also see an increase in SQL injection attacks and greater use of targeted phishing attacks," Chenette added. These targeted phishing attacks will provide attackers the necessary credentials to alter a Web site's content and redirect unsuspecting users of some of the largest, most reputable and most trusted Web sites to their own sites.