05-03-2012 07:29 AM - last edited on 05-03-2012 09:07 AM by shannons
Hi folks, I'm trying to find the culprit of a crime.. I've discovered unauthorised payments on my online bank statement. The bank in question have agreed to refund the stolen loot and issue another card. But I'm left scratching my head as to how these parasites got my details. The banks fraud team will not discuss such matters.
I'm pretty sure no-one has had the opportunity to clone my card and see/record my pin entry.. The muliple withdrawals were made by someone using these 2 online companies(moneybookers & milavat) So I think the evidence may lead to some sort of hack or virus. I use mobile broadband (VPN) if that might be of any relevence.
I've been running Norton 360 for about 14 months (with automatic updates). Recently, I noticed a lot of High priority blocks in Nortons tasks listing. A full scan on Norton 360 found nothing untoward.
Following the advice given to others in previus threads I downloaded Malwarebytes, tdsskiller and Norton Power Eraser (amongst others). To my surprise Malwarebytes found plenty to shout about!
Could PUPVShare have been the culprit?.. The reported attacks stopped thereafter.
The only other discovery was made by NPE. Alsysio64.sys was listed as' Bad'. I understand this is usually a legit file from core temp which i'm running so I have left it alone. The filepath is c/users/application/local/temp/registry/machine/sy
Any smoking guns here?
That's all the evidence i've got. Could I be on to something or should we start a new line of enquiry?
Any advice much appreciated.
05-03-2012 07:38 AM
I am sorry to hear about your problem.
According to http://forums.malwarebytes.org/index.php?showtopic
05-03-2012 10:32 AM
The first question is: How often do you use your debit card and PIN online?
It is far, far more likely that your card was compromised by a skimmer placed on a payment terminal or ATM somewhere. Skimmers are virtually undetectable, and the bad guys have devised clever ways of grabbing your PIN during a transaction. You could also have been a victim of a databank breach, such as this one:
The Malwarebytes' detection was a single PUP - a Potentially Unwanted Program. The designation reflects the fact that while most people would consider the program to be a nuisance, some users might choose to install it in order to gain some benefit that the application offers. Keyloggers or other malware that would steal your credentials would not be considered a PUP, so I do not think VShare is a likely suspect in your case. NPE detections are not as certain as those made by Norton Antivirus scans, and the single file that NPE nabbed would need to be thoroughly investigated before it could be verified as malicious. Since it was only one file, chances are it was not associated with any malware.
05-03-2012 11:54 AM
Thank you both for your replies.
The question 'how often do you use your pin online?' is a good one.
The answer is of course, you don't
Most sites that store card details only require an address, a verified email address and card details.
The legitimate site Moneybookers which was used by the parasite to transfer money from my account requires the last 3 digits of the security code written on the rear of the card for verification.
I very rarely enter this security code online, so with that in mind I re-checked my statement and the last transaction before the first theft was an online transfer of funds (made by myself) into an account which requests that card security code.
This could be a coincidence. It's possible my card was skimmed, although highly unlikely as i'm careful were I stick it.
The hacked database is also a very credible explanation.. Perhaps any combination of these things.
But I think it's probably about time I ran a kill disc.
Thanks for your input guys!
05-03-2012 12:08 PM
When using your card an an ATM terminal, check the terminal first; push and prod a bit at the keyboard to make sure no fake keyboard has been pasted onto the real keyboard. Ensure that there is no oily or sticky stuff on the keys (which will register which keys you press). Also, tiny cameras are concealed over the keyboard area, and contraptions are fastened to the slot where the card enters/exits. And finally, always cover the keyboard with your free hand or wallet (or another object which fully covers the range of keys) when typing in your pin code. Skimming is a problem in Switzerland, too, and the instructions above are the ones recommended by the banks over here. Very nasty business :-(
Ladies and Gentlemen, we are now ready for take-off. We would like to remind you that smoking and flaming are prohibited on all boards of this forum. We wish you an enjoyable flight with Norton Airlines.
05-04-2012 12:01 AM
Another thing you should do is try and use an ATM thats inside a bank, as an extra precaution, less chance for it to be tampered with. There was also an article in the news last year about hand held terminals, like on a garage forecourt, where they have been tampered with and copy all the pin and card details.