Phishing attack that mimics currently browsed site?

Not sure this is an appropriate forum for this, but maybe some fellow SPers have come across this and can point me in the right direction…

I have a Lenovo laptop running Windows 7, and have started experiencing pop-up windows with phishing attacks/attempts when I do an online purchase. The pop-up is one of those slightly different URL windows that looks very much like the site I’m actually browsing. Not unlike many phishing sites/pages. However in this case the page is customized to match the site I’m on, for example Wells Fargo. I also went to make a purchase on the Philadelphia Phillies website and the same thing happened. I got a phishing pop-up that looks like it’s a legitimate part of the Phillies site.

McAfee software running on the computer is up-to-date and detects no viruses or spyware.

What else could this be? Anyone ever see such a sophisticated phishing mechanism before?

Sounds like a pretty sophisticated bug you’ve got. Might be worth uploading some screenshots. Considering your McAfee detects nothing is also weird.

I would recommend doing a scan with another program, maybe Spybot S&D. HijackThis is also a good program but is more suited to advanced computer users (but you can run it and post a screenshot on their forum for advice).

There’s not much to screenshot. The phishing page mimics any page. If I’m on Wells Fargo’s website, the phishing page shows up and looks just like the real site. The only way I can tell that it’s a phishing page is by the information it asks for (account numbers, SSN, mother’s maiden name, etc., way too much sensitive info) and the copyright date at the bottom of the page is 2008. The URL is masked somehow. It shows in the address bar, but it’s definitely something else.

I looked at the source code and the only thing that looked like something that might be an indicator of anything is there are a bunch of meta tags that say name=“konichiwa”. Seems odd.

I ran Spybot S&D and it picked up 55 things that were removed. The problem persisted, so I scanned again and this time it detected 13 items that were then removed. The problem stopped! At least temporarily. Now it’s back to it’s old tricks again, so I’m running another scan.

I’m guessing based on the brief interruption that something was removed or disabled that affected the virus/spyware/malware. But somehow it’s persisting.

Any other thoughts on this? Anyone ever seen anything this sneaky?

Try opening a website for any of the following antivirus providers such as AVG, Norton,Mcaffe etc
if these are being redirected or not appearing then you have picked up one of the one of the
W32 virus /trojan varients such as Conficker.

These are particulay awkward as they tend to hide quite well and often infect the onboard
AV software, boot your PC up using a linux O/S such as Puppy or Ubuntu then do a virus scan.

View the page source and look for suspicious URL’s. There are lots of phishing attacks on well-know sites that “borrow” images and css from the actual site to make the page look authentic.

Nothing to do with this sort of thing?

Nope, it’s not always triggered by a credit card transaction. It’s also triggered just by trying to log in to an online banking site with an existing username and password.

For online purchases, it does include some language about that MasterCard secure thing, so it could look similar to that. But this is different in other ways, and it’s surely a phishing trap. None of those legit security checks ask for SSN, account/card numbers, mother’s maiden name, etc., all in one form.

[ot]My problem with banks is their “security” questions… promote false security for any fools who believe they work. Most of that info of those security questions, including SSN, are posted in public either by public entities (SSN is not private and is not secret, but technically should only be used for tax/income purposes) or by users themselves on their spacebooks. Mother’s maiden name… I have no idea where anyone got the idea that this was a good piece of info to use for “security”. Those names are public and more and more women don’t change their names, nor are all moms married, etc…

Something like 3dsecure encourages people to get phished.[/ot]

You can try out with some other Anti-virus software and go for root scan also. Because the scan which anti-virus does on laptop or pc might not be able to find virus from root. So once you can go for root scan for system.

Another thing you can do is you can block pop-ups from your laptop, so that it won’t irritate you while you are surfing.

Try microsofts windows defender. did spybot search & destroy find anything?

@techmiclelle, M$ and security is a bad mis-match!

@mcd, have you ever heard of a rootkit? IMHO, you’ve got a SEVERE security problem in that a Japanese (I believe “konichiwa” is “hello” in Japanese) worm/rootkit has invaded your computer and can/has reinstalled itself after removal of the files it implants. If you’re running a home network, consider all your computers hacked. Download a few rootkit seek-and-destroy programs from reputable anti-virus firms, disconnect all your computers from the internet AND THE LAN then run ALL the anti-rootkit programs in turn - one is bound to seek-and-destroy the rootkit.

Good Luck!



Many people already have windows defender, even if they do not know it, and it DOES clean some known items. A comment along the lines of reminding people that "Relying only on M$ for security is Not best practice. " is good, as I did skip that.

Also note this person has not responded to this tread, they obviously moved on. Ran into a few cases where comments like this “reputable anti-virus firms” actually made things worse, mostly because the person didn’t know where to get a list of reputable anti-virus firms.