Criminals this week hijacked ChronoPay.com, the domain name for Russia’s largest online payment processor, redirecting hundreds of unsuspecting visitors to a fake ChronoPay page that stole customer financial data.
Reached via phone in Moscow, ChronoPay chief executive Pavel Vrublevsky said the bogus payment page was up for several hours spanning December 25 and 26, during which time the attackers collected roughly 800 credit card numbers from customers visiting the site to make payments for various Russian businesses that rely on ChronoPay for processing.
In the attack, ChronoPay’s domain was transferred to Network Solutions, and its domain name system (DNS) servers were changed to “anotherbeast.com,” a domain registered at Network Solutions on Dec. 19, 2010.
The attackers left a message on the ChronoPay home page – designed to look as if it had been posted by Vrublevsky (see image above) – stating that hackers had stolen the personal data of all ChronoPay users who had shared payment information with the company in 2009 and 2010.
Vrublevsky said the message was faked — that it was “absolutely not true” — and that the damage was limited to the 800 card numbers. He added that the company was still working with its registrar Directnic and with Network Solutions to understand how the attackers managed to hijack the domain.
The hackers also stole and posted online at least nine secret cryptographic keys ChronoPay uses to sign the secure sockets layer (SSL) certificates that encrypt customer transactions at chronopay.com. Vrublevsky said all but one of those certs were issued long ago: One of the certs was issued in September, albeit with an older key, he said.
Loyal readers of this blog may have noticed that I have spent a lot of time digging into the activities and history of ChronoPay and Vrublevsky. In my earliest report on these two, I followed a string of evidence that suggested Vrublevsky also was the founder and curator of Crutop.nu (NSFW), a Russian adult Webmaster forum that has been linked to all kinds of badness. In that report, I noted that Crutop.nu and Chronopay.com even shared the same Google Analytics code (UA-630887) on their homepages, which further suggested a fundamental connection between the two sites.
At the time, a ChronoPay spokesperson dismissed the connection, yet the code disappeared from the ChronoPay home page shortly after that story ran. But sometime recently — perhaps in the last few days — it was apparently put back. You can see it by loading the home page of each site, right-clicking on the page and selecting “view source” or “view page source,” depending on your browser. Here’s a list of the other sites that also are using this Google Analytics code.