Strange phishing attack?

4

1

When I login to wachovia/wells fargo/amazon/paypal , no matter the user/pass that I insert, i get a "we need to verify your information" page where they ask me everything, from the atm pin to my ssn to my mom's maiden name (LOL)

Then, when i insert bogus data, they continue to ask more and more personal data, like frequent flyer numbers, verified by visa password, and so on, until i get to a verified by visa authorization page (with right SSL on visa.com!!!) for a sum hidden by a white div.

More data:

  1. The address is right (not www.amazon.com.frtrereeliamdumb.com, but amazon.com WITH THE RIGHT SSL)
  2. The hosts file is not modified
  3. the dns is reliable, 8.8.8.8
  4. amazon.com resolves right
  5. the ssl is valid
  6. sniffing traffic does not show anything suspicious
  7. i have wired internet
  8. No strange process running
  9. Opera is unaffected, firefox and ie are affected (so it's not a rogue ff extension)
  10. I care about security and i run everything in sandboxie, don't have java, have an av (so, how i could get this virus???)
  11. admin programs like regedit and taskmgr are working and not blocked by this virus

What can be???

Magnetic_dud

Posted 2011-02-25T16:18:05.137

Reputation: 3 210

Pick up the phone and call Wells Fargo, I would suggest you ask them to change you password until you get this sorted out. – Moab – 2011-02-25T17:07:34.433

Ok, look at the page that i get at this address: https://www.paypal.com/it/cgi-bin/webscr?cmd=_login-submit => http://pastie.org/1609236 www.paypal.com resolves at 64.4.241.49 - right. Similar page appears on amazon.com and wachovia.com

– Magnetic_dud – 2011-02-26T10:07:10.343

And another example, at this address: https://www.amazon.com/gp/flex/sign-in/select.html/ref=ya_sign_in_ i get this: http://pastie.org/1609260 , instead https://onlineservices.wachovia.com/auth/AuthService i get this: http://pastie.org/1609262 .. i must understand what's going on to let this don't happen in the future (yes, i already changed the passwords from a clean computer)

– Magnetic_dud – 2011-02-26T10:12:02.167

Answers

3

You, sir, have malware installed on your client computer. This software likely "listens" to the common browser processes (i.e. IE and FF) and intercepts HTTP traffic, appending "frtree...com" to it.

Hard to say exactly what it is or how it got there, but one thing is clear: you need to find a virus scanner that will remove it, or roll your OS.

Edit: it's been my experience that it takes far less time (and less stress of being absolutely sure you removed it) to hose the OS than it does to track down the bugger and kill it.

Joshua

Posted 2011-02-25T16:18:05.137

Reputation: 4 290

not, it's not like that, the http sniffer shows that everything points to the right domain name – Magnetic_dud – 2011-02-25T16:27:34.857

I wiped the hard drive (in march 2011!) and I fixed the problem, so, yes, I was infected. I couldn't believe that. :) – Magnetic_dud – 2012-10-30T11:30:15.383

2

Is it possible your router has been compromised by a virus and is redirecting traffic?

Jeff Bolduan

Posted 2011-02-25T16:18:05.137

Reputation: 134

1The router is a thomson tg585 that the isp gave me. Has a bug where people can guess the wpa2 password by knowing the mac address - so wlan is disabled. But, from other computers on the same lan, i don't get this strange result... – Magnetic_dud – 2011-02-25T16:23:49.683

If that's the case then I would probably cut my loses and either try a different AV and if that fails then format. If the virus can hide itself that well it's not worth taking a chance. I would also make sure to wipe out the boot sector of the drive which is often overlooked. – Jeff Bolduan – 2011-02-25T16:28:40.753

I tried nod32 but no success – Magnetic_dud – 2011-02-25T16:36:39.583

You should also use an uninfected computer to immediately change all of your website account passwords, especially banking/financial ones. – BBlake – 2011-02-25T17:03:33.433

0

You may be infected

Follow the order given below to disinfect your PC

1.) On a PC that is Not infected, Make a boot AV disc then boot from the disc on the Infected PC and scan the hard drive, remove any infections it finds, I prefer the Kaspersky disc myself. The New 2010 Kaspersky disc can update the AV dat files if you are connected to the internet at the time of scan and is suggested to update before the scan.

http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/

2.) Then: Install free MBAM, run the program and go to the Update tab and update it, then go to the Scanner Tab and do a quick scan, select and remove anything it finds.

http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

3.) When MBAM is done install SAS free version, run a quick scan, remove what it automatically selects. http://www.superantispyware.com/download.html

These last 2 are not AV softwares like Norton, they are on demand scanners that only scan for nasties when you run the program and will not interfere with your installed AV, these can be run once a day or week to ensure you are not infected. Be sure you update them before each daily-weekly scan.

Moab

Posted 2011-02-25T16:18:05.137

Reputation: 54 203

0

Double check your network settings. What could have happened is that you've got some malware which is pointing you to a bad Domain Name Server. This means that it looks like you are reaching the correct web addresses even when you are clearly not.

Another way to test this is to try and access known anti malware sites like Malwarebtyes. These are often blocked.

Get the Local Area Connection Properties dialog and select the General tab. Then select the "Internet Protocol (TCP/IP)" line and select "Properties"

In the new dialog on the General tab check whether the DNS server option has been set to "User the following DNS server address". If it has take a note of the IP addresses.

Then go to your ISP and see if they recommended that you set these values. If they don't reset the switch to "Obtain DNS server address automatically". If they do, check that the IP addresses match.

You will still need to run the steps to clean your machine as there is no guarantee that there won't be a process running that keeps this setting pointing to the bad servers.

ChrisF

Posted 2011-02-25T16:18:05.137

Reputation: 39 650

the website is not blocked - downloaded and installed malwarebytes - now scanning. – Magnetic_dud – 2011-02-25T17:54:27.770

Asked: 2011-02-25T16:18:05.137

Viewed: 945 times

Active: 2011-02-25T17:17:28.537