Is That Website Really Your Bank?
April 29, 2010
A client called us a few days ago and said that someone had stolen their banking/credit card information and they thought it may have been a virus. When I logged on to their computer I could see some signs of minor infections but nothing to steal information like that. I recommended we do an ERVisit and install Trend Micro Internet Security. After cleaning up the computer I still hadn’t found any signs of an infection that would steal banking information.
Upon further discussion with the nervous client they showed us what happened when they went to their banks website. The first page looked exactly right. I compared it to the same page loaded on my computer, a perfect match. When they entered their username and password to log into the site a page was displayed asking to verify their information. Here is where that gut feeling that something isn’t right comes in. The page was asking for everything you would need to open an account or apply for a credit card. Name, address, SS# etc… Look at the address in the address bar and it was still the banks website. Checked the IP address the site goes to and it also belonged to the bank. Here was the trick. I could ping the address from their computer and it replied from the bank. I asked the customer to call the bank and verify that it is truly their site asking for the information. It wasn’t! WOW! How can this be?? Turns out that this virus was smart enough not to interfere with normal tests and traces but it did intercept and send specific information outside of the computers normal communication methods.
Now that we know what is happening the hunt for the invader began. After about an hour or so of micro analyzing everything running we were able to find it and tear it out. The scary part, none of the several antivirus or deep scanning tools showed or found it. This is a first! I am suspecting a new twist on a relatively new virus technology, the rootkit. We have a copy of the virus and are testing and analyzing to learn more and make it easier to detect as well as sent a copy to Trend Micro to get it added to their antivirus software.
The moral of the story: If your internal alarm goes off, don’t do it, even if everything looks right!
TomG | PCWebDoc.com
Toll Free: 866-828-6684
