Network Solutions phishing attack preceded CheckFree domain takeover

IDG News Service - A late October phishing attack that targeted customers of domain name registrar Network Solutions LLC may have given cybercriminals the information they needed to seize control of payment processor CheckFree Corp.'s Internet domain this week.

On the morning of Dec. 2, attackers logged into CheckFree's domain name registration account at Network Solutions and redirected Internet traffic away from CheckFree's systems to a rogue server located in the Ukraine. For a period of just under five hours, CheckFree customers trying to connect to the company's Web site were attacked with code that exploited a bug in Adobe Systems Inc.'s Reader software.

But security researchers said Thursday that the groundwork for the attack against CheckFree may have been laid in late October, when customers of Network Solutions were targeted by a phishing campaign.

In the earlier attack, Network Solutions customers received an e-mail crafted to look like it came from the domain name registrar, asking them to enter their account information on a Web site that turned out to be controlled by the criminals who sent the fake message. Such campaigns, directed at small but carefully targeted groups of victims, are known as "spear phishing" attacks.

Network Solutions was one of at least two domain name registrars that were targeted in the attack, said Susan Wade, a spokeswoman for the company. Nobody knows how the hackers who took control of CheckFree's domain were able to access its account at Network Solutions, but Wade said they entered the correct password on their first attempt.

Dave Jevans, chairman of the Anti-Phishing Working Group, thinks that the October phishing attack may have been to blame. "It's perfect spear-phishing," he said, noting that attackers can strike out an entire community of users, as they did with the CheckFree hijacking, by taking over just one domain name.

In general, domain-name phishing attacks can be very effective because if just one victim hands over log-in credentials to a popular domain, thousands of Web surfers can be attacked. To make matters worse, people who own domain names are accustomed to receiving regular e-mails from Network Solutions and other registrars asking them to enter account information. That's because the organization that governs Internet domain names, the Internet Corporation for Assigned Names and Numbers, requires the information to be reviewed annually.

There were several variations on the Network Solutions scam. In one, customers were told that their domain names had expired and that they were eligible to receive money generated from the sale of the domain to someone else. "We were able to work pretty quickly to shut down the [phishing] sites and notify customers," Wade said.

She added that the October attack wasn't the first time Network Solutions had been targeted by phishers. The company has implemented new security measures since the attack, but Wade declined to detail them for fear of helping other cybercriminals.