Can someone explain how a virus did this?

schwags

schwags

Member
Reaction score
0
Location
Iowa
I have a business client that opened one of those phishing e-mails saying he has a fax waiting etc...Anyway, when he went to his bank website to log in, he was presented with a login page for his banking website asking for all sorts of personal information to verify etc...obvious scam and he knew it. In itself this is all pretty common, BUT the URL and certificate seemed to be valid...? I took a screen shot and attached it because I hadn't seen this before. I was under the impression that a standard redirect like this would always point to a strange URL, or at least have an invalid cert. Is there a form embedded in the page somehow? Is this common now and I'm just behind the times?

G2b8N7H.png


Sorry for the black and white screenshot, I was over remote but I assure you that the SSL bar was green.
 
Can you not find the IP address of the site in question, and then enter it from another machine, to see if it takes you to the same page?

I have just entered the site up to /my accounts, and get the correct page. If this is a new form of phishing, then ruddy hell, our clients have no chance!. Especially when it has everything we tell our clients to look out for. I.e the padlock, and httpS.
 
I have the infected computer in my shop, it's been shut down and I migrated him to a spare laptop, so I have some time to analyze this mess. But, I am not a security expert and I want to be careful messing around with my client's computer when his data is at stake! At this point, he has changed his banking password, so I am not sure how to get the full URL since I can not log in. What else can I look for?

EDIT: The HDD is encrypted, so unfortunately no offline scans or analysis is possible.
 
Last edited:
schwags said:
I have the infected computer in my shop, it's been shut down and I migrated him to a spare laptop, so I have some time to analyze this mess. But, I am not a security expert and I want to be careful messing around with my client's computer when his data is at stake! At this point, he has changed his banking password, so I am not sure how to get the full URL since I can not log in. What else can I look for?

EDIT: The HDD is encrypted, so unfortunately no offline scans or analysis is possible.
Click to expand...

How is the HD encrypted? Just because it is encrypted does not mean you can't grab an image. If you are really interested in getting to the bottom of this that is what you should do. Or at least make a copy of the user profile App Data.

Since he was using Chrome you can look up where Chrome stores it's files. There is a history folder so that particular URL should be in there.
 
OP, did your client have any AV protection? I'm guessing not?

This is most likely Zeus which created a pop-up window covering his banking page after logging in. No web content was altered, it was just covered up with a pop-up window. And the URL, certificate and https verification were all perfectly legitimate.

This made the rounds over the holidays...
 
Last edited:
Bubbajoe said:
A link that supports your previous statement about Zeus manipulating web content (below).
Click to expand...

Oh sure let me help you with that: http://www.google.com

Bubbajoe said:
OP, did your client have any AV protection? I'm guessing not?

This is most likely Zeus which created a pop-up window covering his banking page after logging in. No web content was altered, it was just covered up with a pop-up window. An the URL, certificate and https verification were all perfectly legitimate.

This made the rounds over the holidays...
Click to expand...

Zeus doesnt need a popup window, it directly injects into wininet.dll
 
Last edited:
I have a business client that opened one of those phishing e-mails saying he has a fax waiting etc...Anyway, when he went to his bank website to log in, he was presented with a login page for his banking website asking for all sorts of personal information to verify etc...obvious scam and he knew it. In itself this is all pretty common, BUT the URL and certificate seemed to be valid...? I took a screen shot and attached it because I hadn't seen this before. I was under the impression that a standard redirect like this would always point to a strange URL, or at least have an invalid cert. Is there a form embedded in the page somehow? Is this common now and I'm just behind the times?

G2b8N7H.png


Sorry for the black and white screenshot, I was over remote but I assure you that the SSL bar was green.
Click to expand...

Definitely Man In The Browser. Kind of cool, but scary. Had one come in the other day. Latches onto the system and modifies pages on the fly. Very similar to Man In The Middle
 
Last edited:
scott00049 said:
This article sounds a lot like it could be related to your 'virus/phishing' problem:

http://venturebeat.com/2014/04/08/w...ffecting-66-percent-of-the-internet-at-least/

New bug found in OpenSSL, that is actually old but newly discovered.

-Scott
Click to expand...

MikeLierman said:
Definitely Man In The Browser. Kind of cool, but scary. Had one come in the other day. Latches onto the system and modifies pages on the fly. Very similar to Man In The Middle
Click to expand...

MobileTechie said:
Yes I'd say MitB attack too. Clever and can defeat most banking protection methods including tokens, letters from a password and so on.

I imagine this will become more and more popular as banks have upped their game.

See http://en.wikipedia.org/wiki/Man-in-the-browser
Click to expand...

It's Zeus...
 
You must log in or register to reply here.

Similar threads

britechguy
PayPal's Page on "How to Identify Fake Messages"
Replies
1
Views
511
xrobwx71
xrobwx71
Velvis
Weird Gmail/Contacts issue
Replies
1
Views
175
britechguy
britechguy
thecomputerguy
Employee productivity monitoring software ...
Replies
7
Views
683
Diggs
Diggs
HCHTech
reading M365 encrypted email
Replies
1
Views
173
Sky-Knight
Sky-Knight
Appletax
[REQUEST] Need a printer rec. for a 90 year old businessman
Replies
12
Views
898
britechguy
britechguy
Back
Top