andyhat: (Default)
[personal profile] andyhat
I've been using mycheckfree.com for years to pay my utility bills. So tonight, I get an email that purports to be from them informing me that if I had attempted to access online bill payment between 12:30 a.m. and 10:10 a.m. Eastern time on Tuesday, December 2, 2008 using Windows, their site may have redirected me to a site that might have infected me with malware which may have escaped detection by virus scanners. I use Opera and Chrome, not IE, so I'm probably safe, but I have no idea if I accessed the site during that time (I quickly log in and schedule payments when I get notification that bills have arrived, so I don't really remember when I used it), and they say they're working with McAfee to provide more information and assessment.

So, assuming this is legit, it's good of them to let customers know about the potential problem, though it would have been nice if they'd included a bit more detail on the malware in question. But they obviously have very little clue about how to handle this sort of thing.

The email they sent was mailed from mail17c.mkt030.com, and the return address is ebillinfo@customercenter.net. Links in the mail go to links.mkt030.com. That may be a legit bulk mailing company, but who knows?

They have a mechanism in place to deliver messages via the web site after you log in, so I check that; no copy of the message there, and no info on the site about the breach.

I go look up their customer service 888 number and call that; it's already closed for the night, and the message there says nothing about the problem.

There's an 877 number in the email I got, but the only google hit for that is a copy of this very email, and the guy who answers it admits it was newly registered to deal with this problem. So, um, how do I know I'm talking to Checkfree?

The email did contain my name and the out-of-date address I have on file with them, but of course, if their site was actually hacked, that doesn't tell me anything - and that much is public record anyways.

So, it's great they sent out a timely message about their breach. But I got it on Saturday night, and it appears there's no authenticatable method of contacting them for further information until Monday.

Checkfree Corp obviously has no clue about security and social engineering. Unfortunately I'm not sure there are any better options, since most billpay sites end up using Checkfree on the back-end. Anyone have any suggestions for other sites that do bill presentment and payment for Duke Energy and AT&T that don't use Checkfree?

ETA: Here's an article about the breach. So it would seem a Checkfree employee fell prey to a phishing attack and leaked their password with Network Solutions for domain registration. And now they're sending out emails to customers that are indistinguishable from a phishing attack. That's some astounding incompetence.

Date: 2008-12-07 06:52 am (UTC)
From: [identity profile] randwolf.livejournal.com
Use a reliable local credit union, if possible--these often have billpay services. It's something that's heard over and over again, but it bears repeating: do not bank with an organization you don't know.

Date: 2008-12-07 07:03 am (UTC)
ext_13043: (Default)
From: [identity profile] andyhat.livejournal.com
I've been using mycheckfree for 8(?) years. At any rate, since before my credit union had billpay services. But while I do like the electronic bill presentment, I suppose this will motivate me to go back to paper bills and to set up myself up with the credit union's billpay site.

Date: 2008-12-07 08:54 am (UTC)
From: [identity profile] boywhocantsayno.livejournal.com
That's all very fishy sounding to me - you would think that they would have a 24/7 customer service department, given the business they're in. (Of course, this is the first time I've ever heard of this company, so I can be of no help to you.)

I had a similar problem this week - I got an email purporting to be from my bank telling me that my account had been suspended due to too many attempts to log on with an incorrect password, and that I should click on the link in the email and enter my username and password to reactivate my account. However, there was a grammatical error in the very first sentence, which raised my suspicions, and so I looked carefully at the URL of the link - not in the link itself, but in the taskbar of my browser when I hovered my mouse over the link, and sure enough, it was going to a non-Bank of Montreal website. So I forwarded the email to their fraud department and deleted it.

None of this has any real direct bearing on your situation, of course, but who knows - there could be a company that's targeting a whole bunch of different financial services companies and sending out emails to make people think that their accounts have been hacked. (I'm not quite sure how they knew I was a BMO customer, though, unless they've hacked into BMO's database to get my email address, or I somehow got malware on my computer from another site prior to the last time I paid my bills.)

Date: 2008-12-07 08:55 am (UTC)
From: [identity profile] boywhocantsayno.livejournal.com
I just saw your edit - it sounds even more similar to what happened at BMO, though I can't be sure that their database got hacked the same way. Oy. Idiots.

Check your browser history.

Date: 2008-12-07 04:58 pm (UTC)
From: (Anonymous)
Check your browser history. I received this email too. I checked my browser history to see if I paid anything. Which I hadn’t on the Dec. 2nd(Tuesday).

Date: 2008-12-07 08:38 pm (UTC)
From: [identity profile] h-postmortemus.livejournal.com
Yeah, it's for real. Someone logged into their domain name administration account, changed the DNS entries and voila!

This isn't the first time I've heard of that happening... I need to check my own domain admin accounts and make sure they have tight passwords...

Newsflash

Date: 2008-12-08 08:32 am (UTC)
From: (Anonymous)
CheckFree does bill pay for the credit unions mentioned. By the way, less than 5000 people actually clicked on the bogus site. 95% of them had antivirus software. Unfortunate? Yes. Was this contained and dealt with appropiately? Without a doubt

Profile

andyhat: (Default)
andyhat

May 2009

S M T W T F S
     12
3456789
10111213141516
17 181920212223
24252627282930
31      

Style Credit

Expand Cut Tags

No cut tags
Page generated Jul. 20th, 2017 04:40 pm
Powered by Dreamwidth Studios