SitePoint Sponsor

User Tag List

Results 1 to 12 of 12
  1. #1
    SitePoint Zealot mcd's Avatar
    Join Date
    Dec 2004
    Location
    Caldwell, NJ
    Posts
    111
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Phishing attack that mimics currently browsed site?

    Not sure this is an appropriate forum for this, but maybe some fellow SPers have come across this and can point me in the right direction...

    I have a Lenovo laptop running Windows 7, and have started experiencing pop-up windows with phishing attacks/attempts when I do an online purchase. The pop-up is one of those slightly different URL windows that looks very much like the site I'm actually browsing. Not unlike many phishing sites/pages. However in this case the page is customized to match the site I'm on, for example Wells Fargo. I also went to make a purchase on the Philadelphia Phillies website and the same thing happened. I got a phishing pop-up that looks like it's a legitimate part of the Phillies site.

    McAfee software running on the computer is up-to-date and detects no viruses or spyware.

    What else could this be? Anyone ever see such a sophisticated phishing mechanism before?

  2. #2
    SitePoint Zealot sammyspam's Avatar
    Join Date
    Feb 2009
    Location
    Australia
    Posts
    103
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Sounds like a pretty sophisticated bug you've got. Might be worth uploading some screenshots. Considering your McAfee detects nothing is also weird.

    I would recommend doing a scan with another program, maybe Spybot S&D. HijackThis is also a good program but is more suited to advanced computer users (but you can run it and post a screenshot on their forum for advice).

  3. #3
    SitePoint Zealot mcd's Avatar
    Join Date
    Dec 2004
    Location
    Caldwell, NJ
    Posts
    111
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    There's not much to screenshot. The phishing page mimics any page. If I'm on Wells Fargo's website, the phishing page shows up and looks just like the real site. The only way I can tell that it's a phishing page is by the information it asks for (account numbers, SSN, mother's maiden name, etc., way too much sensitive info) and the copyright date at the bottom of the page is 2008. The URL is masked somehow. It shows online.wellsfargo.com in the address bar, but it's definitely something else.

    I looked at the source code and the only thing that looked like something that might be an indicator of anything is there are a bunch of meta tags that say name="konichiwa". Seems odd.

    I ran Spybot S&D and it picked up 55 things that were removed. The problem persisted, so I scanned again and this time it detected 13 items that were then removed. The problem stopped! At least temporarily. Now it's back to it's old tricks again, so I'm running another scan.

    I'm guessing based on the brief interruption that something was removed or disabled that affected the virus/spyware/malware. But somehow it's persisting.

    Any other thoughts on this? Anyone ever seen anything this sneaky?

  4. #4
    SitePoint Zealot Sogo7's Avatar
    Join Date
    May 2011
    Posts
    129
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Try opening a website for any of the following antivirus providers such as AVG, Norton,Mcaffe etc
    if these are being redirected or not appearing then you have picked up one of the one of the
    W32 virus /trojan varients such as Conficker.

    These are particulay awkward as they tend to hide quite well and often infect the onboard
    AV software, boot your PC up using a linux O/S such as Puppy or Ubuntu then do a virus scan.
    Lovelogic.net Personal Projects Pit - Spammers welcome

  5. #5
    SitePoint Addict
    Join Date
    Apr 2009
    Posts
    358
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    View the page source and look for suspicious URL's. There are lots of phishing attacks on well-know sites that "borrow" images and css from the actual site to make the page look authentic.
    Doug G
    =====
    "If you ain't the lead dog, the view is always the same - Anon

  6. #6
    SitePoint Wizard Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,283
    Mentioned
    51 Post(s)
    Tagged
    2 Thread(s)
    Nothing to do with this sort of thing? https://plus.google.com/u/0/10428446...ts/i91xdkiRFeo

  7. #7
    SitePoint Zealot mcd's Avatar
    Join Date
    Dec 2004
    Location
    Caldwell, NJ
    Posts
    111
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Stomme poes View Post
    Nothing to do with this sort of thing? https://plus.google.com/u/0/10428446...ts/i91xdkiRFeo
    Nope, it's not always triggered by a credit card transaction. It's also triggered just by trying to log in to an online banking site with an existing username and password.

    For online purchases, it does include some language about that MasterCard secure thing, so it could look similar to that. But this is different in other ways, and it's surely a phishing trap. None of those legit security checks ask for SSN, account/card numbers, mother's maiden name, etc., all in one form.

  8. #8
    SitePoint Wizard Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,283
    Mentioned
    51 Post(s)
    Tagged
    2 Thread(s)
    Off Topic:

    My problem with banks is their "security" questions... promote false security for any fools who believe they work. Most of that info of those security questions, including SSN, are posted in public either by public entities (SSN is not private and is not secret, but technically should only be used for tax/income purposes) or by users themselves on their spacebooks. Mother's maiden name... I have no idea where anyone got the idea that this was a good piece of info to use for "security". Those names are public and more and more women don't change their names, nor are all moms married, etc...

    Something like 3dsecure encourages people to get phished.

  9. #9
    SitePoint Member
    Join Date
    Apr 2012
    Location
    Los Angeles
    Posts
    11
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You can try out with some other Anti-virus software and go for root scan also. Because the scan which anti-virus does on laptop or pc might not be able to find virus from root. So once you can go for root scan for system.

    Another thing you can do is you can block pop-ups from your laptop, so that it won't irritate you while you are surfing.

  10. #10
    SitePoint Zealot
    Join Date
    Oct 2008
    Posts
    140
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Try microsofts windows defender. did spybot search & destroy find anything?

  11. #11
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,679
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    @techmiclelle, M$ and security is a bad mis-match!

    @mcd, have you ever heard of a rootkit? IMHO, you've got a SEVERE security problem in that a Japanese (I believe "konichiwa" is "hello" in Japanese) worm/rootkit has invaded your computer and can/has reinstalled itself after removal of the files it implants. If you're running a home network, consider all your computers hacked. Download a few rootkit seek-and-destroy programs from reputable anti-virus firms, disconnect all your computers from the internet AND THE LAN then run ALL the anti-rootkit programs in turn - one is bound to seek-and-destroy the rootkit.

    Good Luck!

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  12. #12
    SitePoint Zealot
    Join Date
    Oct 2008
    Posts
    140
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by dklynn View Post
    @techmiclelle, M$ and security is a bad mis-match!
    Many people already have windows defender, even if they do not know it, and it DOES clean some known items. A comment along the lines of reminding people that "Relying only on M$ for security is Not best practice. " is good, as I did skip that.

    Also note this person has not responded to this tread, they obviously moved on. Ran into a few cases where comments like this "reputable anti-virus firms" actually made things worse, mostly because the person didn't know where to get a list of reputable anti-virus firms.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •