In an attack with an alarming similarity to the COX incident (WHID 2008-45), but with a far greater potential damage, hackers changes the DNS records for CheckFree, the largest bill payment service in the USA. Customers where redirected to servers in the Ukraine, which attempted to install a password login software on their computers.

The change was done using correct credentials to login to the administrative web site of Network Solutions, CheckFree domain registrar. It is yet unknown how the hackers got the credentials. Since Phishing attacks against domain registrars including Network Solutions have started to surface recently, a good guess is that it was through a Phishing attack.

According to CheckFree report to the authorities, it estimates that around 160,000 customers where expoesed to the attack, and informed 5 million potential victims who may have been among this group.

Additional information:

• The Washington Post's analysis of the incident

Novosti, the Russian news agency reports that in what seems to be a planned dual head attack to break panic by spreading a rumor about a nuclear accident near St. Petersburg.

At the same time that e-mails spreading the rumor where distributed,   hackers blocked access to web sites enabling the public to check for themselves the status of the nuclear power pland intensifying the panic.

Update (Feb 4^th 2009): While RBS reported that just 100 cards where abused in the incident, the news now surfaced, that those cards where heavily abused as the hacker managed to lift the withdrawal limit and distribute the card copies around the world so that in total 9 million dollars where withdrawn from them in a matter of hours before they where blocked. At least, as the saying goes, losing a $100 is your problem; losing a million is the banks.

---

The Royal Bank of Scotland (RBS) confirmed that a hacker perform a "sophisticated cyber intrusion" on RBS WorldPay Unit web site. 1.5 Million credit card numbers and 1.1 million social security numbers may have been stolen.

At this time the only abuse known is a fraudulent use of about a 100 reloadable cards, which are used by companies to pay their employees.

Additional information:

• Company press release, December 23rd 2008
• Internet News, December 24th 2008

Update (January 5th 2009)

We where informed by sources at eBay the Korean sites parent company that the issue was not CRSF or seesion hijacking. The attack method was not disclosed.

---

A Korean e-commerce site was hacked and a staggering number of record, 18 million, where stolen. In the US this would be front news. We don't know if it was front news in Korea, but did not get to the international media.

The attack description is vague but can be best described as session hijacking.

This incident is a great example of the lack of sufficient international coverage at WHID. Help us by sending us non English incidents! After all, it is not English speakers only that get hacked, but rather us, the WHID maintainers that speak only this language.

More Information:

• The Dark Visitor