So whats the scope here. It seems that someone out there took over the DNS settings for CheckFree and redirected, high jacked, the CheckFree online bill pay sites to another web site. From what we are told, when a user attempted to access a checkfree bill pay site through their financial institution they were directed to a blank screen. How ever if you went directly to the online bill pay from check free you were directed to another site that was a replica of ChekFree’s that also attempted to install password-stealing software on the victims machine.

You can read more from Security Fix here and here.

In addition CheckFree has started to send out emails to users that they fell “could” have been effected by this attack.

December 7, 2008

First Initial, Last Name
Address
SAN DIEGO, CA Zip Code

Dear First Initial, Last Name,

We take great care to keep your personal information secure. As part of these ongoing efforts, we are notifying you that the computer you use for online bill payment may be infected with malicious software that puts the security of your computer’s contents at risk. This letter will help you determine if your computer is actually infected and advise you how to fix the problem and protect yourself against future risk.

The malicious software affects some but not all customers who accessed online bill payment on Tuesday, December 2, 2008. For a limited period of time, some customers were redirected from the authentic bill payment service to another site that may have installed malicious software. Your computer may be infected if all of the following are true:

* You attempted to access online bill payment between 12:30 a.m. and 10:10 a.m. Eastern time (GMT -5) on Tuesday, December 2, 2008, and
* You were using a computer with the Windows operating system, and
* You reached a blank screen rather than the usual bill payment screen when you attempted to navigate to online bill payment, and
* After reaching the blank screen, your computer’s virus protection program did not tell you via pop-up or other messaging that malicious software was detected and quarantined.

If all four of the conditions above are true, your computer may be infected. We have arranged with McAfee, the world’s largest dedicated security technology company, to provide you with an assessment of your computer’s hard drive and remove any malicious software. Please contact us at 877-800-4864 for further instructions or 800-564-9184, Option 1 for further instructions. We will also offer you both advice and free services that can help you mitigate any risk you may face as a result of this incident or other everyday exposures you may encounter.

We value your business and your trust, and we apologize for any inconvenience this recent incident has caused.

Thank you,

Art D’Angelo

Vice President, CheckFree Customer Operations

If you feel that you may have visited the Check Free site during those times or are just worried. Update your virus scan software and run a complete scan. You can also visit various AV vendors web sites for online virus scans of your computer.

Does this mean you should stop using online banking? No of course not, however you should look into browser toolbars that can help in identifying sites that are Phishing or just plain wrong. One of my favorites is the Trace tool bar from TraceSecurity. Most security tool bars out there only use what is called a blacklist, know bad sites, this is a method that is always reactive in nature (one step behind, like Antivirus vendors). The Trace tool bar using a whitelist. This method is more ideal in that it keeps a list of know good, and can alert you to any change in the location of your financial instutions web site. In the case of Check free DNS highjack, it could have alerted the user that the checkfree web site was no longer loading from the know good location. Read more about and download the Trace tool bar here.