is turning me over to Russian gangsters?
January 13, 2010 8:08 PM   Subscribe

I understand how phishing works via emails, but how am I being taken from a known trusted site to phishing page, after having entered my account signon on the first page?

I go to in Firefox. The verisign thing in the URL bar tells me it's really chase. I enter my account signin as always, hit enter, and I'm taken to a page that's obviously a phishing attempt (asks me for checking account number, ATM PIN, card number/exp/security code, etc.)

How is this happening? Chase tells me I have a virus on my computer. (AVG says I don't) I thought firefox was supposed to be resistent to browser based exploits? Could this really be caused by a local virus? And how serious is this?
posted by stupidsexyFlanders to Computers & Internet (18 answers total) 5 users marked this as a favorite
Your computer has a trojan.
posted by kickingtheground at 8:10 PM on January 13, 2010

It definitely can be caused by a local malware infection. And don't assume that AVG has the ultimate truth on this.

Firefox is not as big a target as IE, but it is possible to infect it. Also, it's possible for an infection gotten through IE (or not through a browser at all) to affect the behavior of FireFox.

Chase is right. You should assume your computer is not reliable. Try running AntiMalware, and then try running Microsoft's Security Essentials. (Tell it to do a full system scan, which can take several hours.)
posted by Chocolate Pickle at 8:30 PM on January 13, 2010

Yeah, you have something nasty on your machine that's detecting that you're logging into the Chase site and is redirecting the next page to somewhere bad. Might I suggest MalwareBytes and/or SuperAntiSpyware as starting points.
posted by m0nm0n at 8:40 PM on January 13, 2010

And given that you have already been compromised, a bunch of phone calls are in order.
posted by rr at 8:48 PM on January 13, 2010 [2 favorites]

I agree with chase. If you want to confirm it is something with your machine boot from a live linux cd and see if you have the same problem. If you do not, reformat your machine and change all of your passwords.
posted by phil at 9:01 PM on January 13, 2010

Advanced malware has no problem hiding from your antivirus software.
posted by chairface at 10:11 PM on January 13, 2010 [1 favorite]

I enter my account signin as always, hit enter

Bad news. Very bad news. Find a known good computer, change your password, check for unauthorised transactions, advise bank, nuke current desktop from orbit. Sorry.
posted by i_am_joe's_spleen at 10:15 PM on January 13, 2010 [6 favorites]

Does this still happen with different DNS servers? Try using and as your DNS servers.

This could be done by DNS-hijacking the page you're supposed to get to after clicking login. I'm guessing if the phishers actually had malware on your machine, they wouldn't make it obvious; they'd just let you log in as you always do while they collect your login & password.

It could also be done by hijacking insecure parts of the login screen. Not everything in there is https. Java script from http addresses could be involved, and in some browsers it can tamper with any other elements of the page.
posted by qxntpqbbbqxl at 10:53 PM on January 13, 2010

Oh, the page you get to could also be presented by a malicious proxy, without changing the login page or having spyware. Try connecting from a different network.
posted by qxntpqbbbqxl at 10:55 PM on January 13, 2010

qxntpqbbbqxl: Doesn't quite fit the symptoms, having a verified good SSL connection to should exclude evil proxy or DNS fakery.

i_am_joe's_spleen: What's the worst that can happen if someone gets your bank account login? For me, I think they could look at my credit card statement and see how often I withdraw cash, which is probably not worth most Russians' time. Do US banks allow you to make transactions without separate authorization codes?
posted by themel at 1:40 AM on January 14, 2010

themel, it varies by bank. In my case, my basic login credentials* would allow you to liquidate all my investments, empty my retirement account, borrow from a line of credit, and ship it all off to anyone else with a bank account. I think the bank will give me a phone call if the destination is overseas, but I'm not sure.

* more than just a password
posted by ryanrs at 2:06 AM on January 14, 2010

I ran MS Sec Essentials last night and it found/removed five "severe" threats, a variety of "exploits", "tools" and "password stealers". I guess I have to nuke the OS and change all passwords. Do not have issues on my other computer but will run scan there to be sure.

Am I safe to back up my docs/settings before reformatting or could the problem return when I restore them to the fresh install?
posted by stupidsexyFlanders at 3:30 AM on January 14, 2010

Given that the classic current entry point for a Trojan right now is a pdf file which exploits holes in Acrobat reader, I'd be wary of your docs. Do back them up, but only restore the ones you know you need & definitely eliminate any that you received via email (even if they came from someone you trust: their machine could have been compromised).

Ultimately, a trojan on your PC could have backdoored every pdf file on your machine & every doc file if there are currently unpatched problems with Office that are exploitable. You'll have to decide whether your docs are worth that risk or not yourself. Given that there are known problems with Acrobat right now, I'd be tempted to ditch all your pdfs at least.

Regardless, you need to nuke, reinstall & change every password you've ever used on that machine.
posted by pharm at 5:38 AM on January 14, 2010

If your system has been compromised that badly, nuking it from orbit is definitely the right answer.
posted by Chocolate Pickle at 8:52 AM on January 14, 2010

So what's the value of antivirus software if it gets rid of the problem, and you still have to nuke/reinstall? And I have thousands of docs unfortunately. Would it make sense to put them on a usb drive, clean reformat, and then plug in the usb drive so the antivirus can scan the files for issues?
posted by stupidsexyFlanders at 10:28 AM on January 14, 2010

The diagnostic aspect of the antivirus program is valuable even if you don't fully trust the cure part.
posted by Chocolate Pickle at 10:34 AM on January 14, 2010

themel: I don't know about US banks. I've used systems in NZ, Australia and the UK.

Some of the banking systems I know of allow reasonable sized external transactions without further authorisation, or by merely re-entering your password. One of my banks does require you to respond with a code SMS'd to your cellphone, which is nifty if cumbersome.

Another angle: when I ring up to make phone transactions, they often ask questions about the account as part of the verification process (eg how much was the last transaction, roughly what is the current balance). Merely obtaining transaction and balance details would be a big help in identity theft. And of course, knowing balance details helps you identify who's worthy of further effort.
posted by i_am_joe's_spleen at 10:54 AM on January 14, 2010

stupidsexyFlanders: Well, normally you hope the anti-virus software detects the virus right after you download the file, but before you run it. Then it can just delete it or whatever and you are safe. If your computer has run the the infected file the virus can go online and download itself more components that will completely take over a computer.
Some components might be detected by the anti-virus software but others can be very well hidden and all their job is is to download and setup the other easier to detect components.
posted by Iax at 2:40 PM on January 14, 2010

« Older My young-ish aunt has been diagnosed with...   |   mumble...mumble Newer »
This thread is closed to new comments.