CheckFree Attack

Brian Krebs reports on a attack on CheckFree in todays Security Fix blog.
It looks like someone used phishing to get credentials for their Network Solutions account. Brian says “This may seem like a logical stretch, and perhaps it is.” I dont know about that. If they just phished the email address in the whois record they would probably get the right person.
Once they had the login credentials it was a quick update to change the authoritative DNS servers and redirect users to a malicious server.
Avivah Litan, a fraud analyst with Gartner seems to think that other (unnamed) security mechanisms should be in place besides username and password. “If all that’s protecting a bank’s Web site is a user name and password, that’s kind of like having a massive vulnerability in the core of the Internet,”
I’m not sure the solution is some call back mechanism where NetSol verifies the change request. Why is a user name and password supposed to be good enough to protect my stuff but not theirs.
I noticed that as of this morning CheckFree.com now shows clientUpdateProhibited in the whois record. I dont know enough about that to know if its a solution. The RFC says it means “ignore all updates except to turn off clientUpdate Prohibited”. That doesn’t sound like much defense.
While it is a reactive defense, it doesn’t cost much to monitor your domains so you are alerted about DNS errors and changes.
Also if Network Solutions had emailed a change alert to the address of record this could have been caught earlier as well.
To me the bottom line is personnel need to be trained not to fall for phishing attacks.