Sorry your browser is not supported!

You are using an outdated browser that does not support modern web technologies, in order to use this site please update to a new browser.

Browsers supported include Chrome, FireFox, Safari, Opera, Internet Explorer 10+ or Microsoft Edge.

Geek Culture / Had issue with bankcard Fraud, need HELP on securing computer

Author
Message
zenassem
22
Years of Service
User Offline
Joined: 10th Mar 2003
Location: Long Island, NY
Posted: 25th Sep 2011 00:09 Edited at: 25th Sep 2011 00:14
Link
I recently had an issue with fraudulent charges (all website charges) on my debit card. Fortunately, the bank removed the 13 charges and returned my money, even though I believe the investigation is still pending. I am currently not 100% positive how my information was gleaned whether it be on my local computer, a large company that has my info being hacked, someone just getting my info from either a fake card reader attached to an atm, or simply a store or restaurant clerk having time to get the numbers off my card.

*Note: at the time of the incidents, I had physical possesion of my card, and it's not someone in my household or guest that used it.

I am leaning to the fact that my install of win7 was compromised, and that a trojan and/or keylogger grabbed my info. I do certain transactions online, and even though they use an HTTPS site, it would seem that if i was keylogged that wouldn't matter.

I am currently afraid to enter anything on my computer. Here is what I have done.

- I use a free antivirus. Avast. It was installed during the time of the fraud. It showed nothing, and it is up to date. Perhaps I should look at getting a better AV. Any suggestions?

- I did a Malwarebytes scan. Sure enough, I had a trojan detected and it was spread across some .exe's. mainly in my Dbpro dll like bbbgui. I think the source came from c++ source code that I downloaded and was looking at. Malwarebytes was able to remove the items.

- I installed Zonealarm (personal free edition) just to keep some control over applications trying to make use of the internet.
Under zonealarm I have prevented other computers even on my local network from connecting to my computer.

I'm still not feeling a 100% that my computer is not compromised. I am thinking about running other scans, but it has been a while since I was into keeping up on the latest utils.

Thinking about running a...
Hijackthis scan
Rerunning Malwarebytes
I need something to possibly check for rootkits, only thing i remember is backlight reveal (or something like that)

anyone else have suggestions on what i can do to feel somewhat safe again?

Your signature has been erased by a mod please reduce it to 600 x 120.
Back to top
Profile PM Email
Kezzla
16
Years of Service
User Offline
Joined: 21st Aug 2008
Location: Where beer does flow and men chunder
Posted: 25th Sep 2011 01:12
Link
I use
antivir antivirus - free
free version of antivirus, you can get the paid version which is apparently better, I however have had no problems with free version.

spybot search and destroy - free
Free malware, spyware and registry change guard.
If theres malware or spyware it will get it. It has a realtime filter too which is nice.


I also use firefox with the noscript plugin enabled.

I only pay for things online with paypal and never use my full actual name on the net.
If stuffs coming in the mail to the post office and I have to show ID then I use a name that is similar enough that the clerk knows its just a security measure.

I also only buy from reputable sites, and before i buy ill google "site name - fraud rip off stolen details" etc, just to see if there are other complaints.

If the keyloggers buried deep with a hidden object maybe a clean install is in order, its a pain in the butt i know, but it knock that option off your list.

good luck

kezzla

Sometimes I like to use words out of contents
Back to top
Profile PM
zenassem
22
Years of Service
User Offline
Joined: 10th Mar 2003
Location: Long Island, NY
Posted: 25th Sep 2011 01:35
Link
Thanks Kezzla,

I know about SBS&D and in fact I am in safe-mode running that as well as we speak. Wondering if there is any specific keylogger scan tools for windows7. Not sure if malwarebytes & spybotS&D will locate keyloggers. I did download Process Explorer from sysinternals, and I didn't seem to find any odd looking processes (and I did turn on company description and command line). Hijackthis didn't show anything odd, other than the condiut engine i thought I had removed (still don't know how that got installed). Thanks for the other suggestions as well.

Your signature has been erased by a mod please reduce it to 600 x 120.
Back to top
Profile PM Email
Indicium
16
Years of Service
User Offline
Joined: 26th May 2008
Location:
Posted: 25th Sep 2011 02:06
Link
You could back up and reinstall, that'd get rid of everything you don't want. Then install Avast. I found comodo firewall was amazing, but it was so secure it nagged a lot and I got sick of it.

Back to top
Profile PM
Oolite
19
Years of Service
User Offline
Joined: 28th Sep 2005
Location: Middle of the West
Posted: 25th Sep 2011 03:32
Link
I know it might be a pain in the ass to do (and I don't profess to know a lot about this kind of stuff) but have you tried manually checking the processes and finding out if any of those have been flagged as anything dodgy? I don't like to put my trust in various programs even if they are proven by somebody else to be perfect. I never feel better until I manually check stuff myself.

Like I said I don't know a lot about this stuff and I don't know if there is a way to completely hide a running process from a process manager, I always assumed they mask themselves with other names.
What I normally do is disconnect from the internet, close all programs that I can and then check the remaining processes(obviously using another computer/my phone). You can always check the startup processes aswell (I use CCleaner free for this), just in case.
Back to top
Profile PM Website
zenassem
22
Years of Service
User Offline
Joined: 10th Mar 2003
Location: Long Island, NY
Posted: 25th Sep 2011 03:52 Edited at: 25th Sep 2011 03:53
Link
@oolite

Yeah, I downloaded and ran process explorer from sysinternals after I removed the trojan.password corruptions that malwarebytes found. Process explorer is an advanced taskmanger like ap, that shows a lot more and identifies process id's, command line, company/ownership etc.. I don't see anything that doesn't look legit right now. I even ran the scans in safemode as well as normal now. Restore has been off.

I've used CCleaner in the past. It can't hurt to run that as well.


As of now everything is showing up clean
Avast - clean
Malwarebytes - 0 detections
SpybotS&D - 0 detections
HijackThis - everything looks good
Process Explorer - everything looks good

Your signature has been erased by a mod please reduce it to 600 x 120.
Back to top
Profile PM Email
Oolite
19
Years of Service
User Offline
Joined: 28th Sep 2005
Location: Middle of the West
Posted: 25th Sep 2011 04:16
Link
If your computer looks clean then I have no idea.

Out of curiosity (and if you don't mind sharing) were all of the fraudulent charges to similar websites? Were there any links between the purchases, like were they all for electronic content? (I can only assume because only an idiot would order something online with a stolen credit card and get it delivered to their house).

It is possible that you got caught out by a card machine scam, over here in my part of the UK we have had several machines in my local area that have been replaced/repaired over the past year because of this type of scam.

Also, not sure if I read it in a poorly written tech novel or I from a reputable source but I'm sure it's possible to track data externally from a wifi connection, secured or not. Is it possible you made a purchase on your card whilst on a password protected router in a pub/restaurant? I never do bank stuff whilst on a public network but sometimes I have slipped up and felt safe enough to do it over one of those pay per use wifi connections you get in some of the nicer restaurants around.

I suppose it's also possible someone got access to your paypal/steam/itunes/amazon account (anything that saves your details really). It doesn't have to be directly from entering your information in.

Hell, thinking about this has made me realise how many places are saving my bank info, getting a bit paranoid so i'm going to remove some of it now.
Back to top
Profile PM Website
zenassem
22
Years of Service
User Offline
Joined: 10th Mar 2003
Location: Long Island, NY
Posted: 25th Sep 2011 04:31 Edited at: 25th Sep 2011 04:48
Link
@Oolite, I haven't even gone over all the sites. But I don't mind sharing them. And I don't believe they were for online content, for instance walmart.com, thebodyshop... Ill list them at the end of this post

Yes it's possible that I used an atm or a gas pump reader that had a modified reader on it. I just don't know at this point.

Whoever did it, basically wiped out my checking account for $1,500.00 + (some charges were listed as duplicates, they were pending. I never did get to see which one's went through, as my bank cleared everything up within 24hours. It was expected to take a minimum of 10 days to even provisionally get my money back. I'm still not aware of how or why they fixed everything so quickly. I stopped the card asap when I found out. Basically all the charges were racked up in 1 day.)

Thankfully my savings accounts are not attached in any way.


teamfanshop.com $84.50
Dev.zappos.com $117.00
The Body Shop E-commerce $172.25
Stauer $245.95
Walmart.com $316.92
WMA*US Weekly $137.00
WMA*US Weekly $137.00 (this one showed up twice)


There were a few others, but at the time the bank couldn't even see who the merchant was. I still disputed them, knowing i didn't make any purchases that day. The money for those were returned as well. It seems like they tested the # out with a few small charges of $10.00-$30.00 as they appeared multiple as well. Then they went for the kill.

I was glad that the bank acted so quickly. While I knew i was never in jeopardy of losing my money,, waiting 10 business days (basically 1/2 a month since weekends are not inlcuded), would have put a bit of a financial strain on me.


*NOTE
I believe I got a the trojan on my system by trying to help someone here on a zork like game. While I knew zork was originally coded in lisp, I found links to modified versions including one that was a conversion to C. I wanted to look at the the source to see how the parser was written, and figured that infocom had released it's source to the public domain, seeing as a number of sites had versions of the source code. Whether that is true or not is now questionable to me. But I got hit the day I extracted that file. That file was infected (malwarebytes found it). It also infected some of my DBPRO plugins like BBBgui and the darkbasic pro EXAMPLES EXE.EXE??? MY AV at the time failed to pick anything up.

Your signature has been erased by a mod please reduce it to 600 x 120.
Back to top
Profile PM Email
zenassem
22
Years of Service
User Offline
Joined: 10th Mar 2003
Location: Long Island, NY
Posted: 25th Sep 2011 04:53 Edited at: 25th Sep 2011 05:00
Link
Here is the image of the trojan infection malwarebytes found



I do not see any remnants of files associated with this trojan. Namely

asplug.dll
asplg.sys

normally found in windows\system32\

Your signature has been erased by a mod please reduce it to 600 x 120.
Back to top
Profile PM Email
Hockeykid
DBPro Tool Maker
17
Years of Service
User Offline
Joined: 26th Sep 2007
Location:
Posted: 25th Sep 2011 07:22
Link
If I were you I would just reformat to be safe.

Back to top
Profile PM Email
ionstream
20
Years of Service
User Offline
Joined: 4th Jul 2004
Location: Overweb
Posted: 25th Sep 2011 07:24
Link
Yeah I also vote that you reformat. I had a virus thanks to a Java exploit once, and even with Malwarebytes and Antivir it was still able to stay alive. After the format I installed Spybot Search and Destroy and Avast, and have been secure ever since.

Back to top
Profile PM Website
Thraxas
Retired Moderator
19
Years of Service
User Offline
Joined: 8th Feb 2006
Location: The Avenging Axe, Turai
Posted: 25th Sep 2011 08:47
Link
I agree, to be safe your only real option is to reformat.

Quote: "I like Thraxas as a person, but I don't like him as poster"
Back to top
Profile PM Email
zenassem
22
Years of Service
User Offline
Joined: 10th Mar 2003
Location: Long Island, NY
Posted: 25th Sep 2011 09:03
Link
Guess I know what I'll be doing tomorrow.

Your signature has been erased by a mod please reduce it to 600 x 120.
Back to top
Profile PM Email
Benjamin
22
Years of Service
User Offline
Joined: 24th Nov 2002
Location: France
Posted: 25th Sep 2011 14:44
Link
Make sure you backup any important documents, media files, and trojans first...



Support a charitable indie game project!
Back to top
Profile PM Email
Dark Frager
15
Years of Service
User Offline
Joined: 16th Mar 2010
Location: The Void.
Posted: 25th Sep 2011 20:44
Link
Quote: "Make sure you backup any important documents, media files, and trojans first..."


Evil..

[CENTER][/CENTER]

Back to top
Profile PM Email
zenassem
22
Years of Service
User Offline
Joined: 10th Mar 2003
Location: Long Island, NY
Posted: 26th Sep 2011 12:07
Link
Quote: "Make sure you backup any important documents, media files, and trojans first..."


Hahaaa... Nice one Benjamin!!!

Your signature has been erased by a mod please reduce it to 600 x 120.
Back to top
Profile PM Email
bitJericho
22
Years of Service
User Offline
Joined: 9th Oct 2002
Location: United States
Posted: 26th Sep 2011 12:20 Edited at: 26th Sep 2011 12:21
Link
Quote: "I'm still not aware of how or why they fixed everything so quickly."


For all you know their card processor was hacked. Make sure your wifi is secure, but otherwise stop worrying about your computer. You've checked it, it's probably fine.

If you want to be safe, open a second bank account and only use that for online purchases. Transfer money from your regular account to your second bank account as needed.


Back to top
Profile PM Email Website
Back to top

Login to post a reply

Server time is: 2025-05-20 14:25:02
Your offset time is: 2025-05-20 14:25:02