4
1
When I login to wachovia/wells fargo/amazon/paypal , no matter the user/pass that I insert, i get a "we need to verify your information" page where they ask me everything, from the atm pin to my ssn to my mom's maiden name (LOL)
Then, when i insert bogus data, they continue to ask more and more personal data, like frequent flyer numbers, verified by visa password, and so on, until i get to a verified by visa authorization page (with right SSL on visa.com!!!) for a sum hidden by a white div.
More data:
- The address is right (not www.amazon.com.frtrereeliamdumb.com, but amazon.com WITH THE RIGHT SSL)
- The hosts file is not modified
- the dns is reliable, 8.8.8.8
- amazon.com resolves right
- the ssl is valid
- sniffing traffic does not show anything suspicious
- i have wired internet
- No strange process running
- Opera is unaffected, firefox and ie are affected (so it's not a rogue ff extension)
- I care about security and i run everything in sandboxie, don't have java, have an av (so, how i could get this virus???)
- admin programs like regedit and taskmgr are working and not blocked by this virus
What can be???
Pick up the phone and call Wells Fargo, I would suggest you ask them to change you password until you get this sorted out. – Moab – 2011-02-25T17:07:34.433
Ok, look at the page that i get at this address: https://www.paypal.com/it/cgi-bin/webscr?cmd=_login-submit => http://pastie.org/1609236 www.paypal.com resolves at 64.4.241.49 - right. Similar page appears on amazon.com and wachovia.com
– Magnetic_dud – 2011-02-26T10:07:10.343And another example, at this address: https://www.amazon.com/gp/flex/sign-in/select.html/ref=ya_sign_in_ i get this: http://pastie.org/1609260 , instead https://onlineservices.wachovia.com/auth/AuthService i get this: http://pastie.org/1609262 .. i must understand what's going on to let this don't happen in the future (yes, i already changed the passwords from a clean computer)
– Magnetic_dud – 2011-02-26T10:12:02.167