A phishing campaign in late October may have given online criminals the information they needed to seize control of CheckFree's internet domain this week.
On the morning of 2 December, attackers logged into CheckFree's domain name registration account at Network Solutions and redirected Internet traffic away from CheckFree's systems to a rogue server located in the Ukraine.
During an incident that lasted just under five hours, CheckFree customers trying to connect with the company's website were attacked with code that exploited a bug in Adobe's Reader software.
But security experts said the groundwork for this attack may have been laid in late October, when Network Solutions customers were targeted in a phishing attack.
In that attack, Network Solutions customers were sent an email crafted to look like it came from the domain name registrar, asking them to enter their account information on a Web site controlled by the criminals. When these attacks are directed at a small but carefully targeted group of victims, they are called "spear phishing" in the security industry.
Network Solutions was one of at least two domain name registrars that were targeted with this attack, said Susan Wade, a Network Solutions spokeswoman. Nobody knows how the CheckFree hackers accessed the domain name account, but they entered the correct password on their first attempt, she said.
Anti-Phishing Working Group Chairman Dave Jevans believes that the October phishing attack may have been to blame.
"It's perfect spear-phishing," he said, noting that attackers can reach an entire community of users, as they did with the CheckFree attack, by hijacking just one domain name.
Domain-name phishing attacks can be very effective because if just one victim hands over login credentials to a popular domain, thousands of Web surfers can be attacked. To make matters worse, people who own domain names are accustomed to receiving regular emails from registrars such as Network Solutions asking them to enter account information. That's because the group that governs Internet domain names, ICANN (the Internet Corporation for Assigned Names and Numbers), requires that this information be reviewed annually.
There were several variations on the Network Solutions scam. In one, customers were told that their domain names had expired and that they were eligible to receive money generated from the sale of the domain to someone else.
This was not the first time Network Solutions has been targeted by phishers, Wade said. The company has taken security measures since the attack, but she did not want to describe them for fear of helping other criminals.
"We were able to work pretty quickly to shut down the [phishing] sites and notify customers," she said.