Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Credit Card getting cloned

  • 13-01-2017 5:20pm
    #1
    Registered Users, Registered Users 2 Posts: 1,907 ✭✭✭


    I am working on a PC and the end user keeps having their credit card cloned, every time they pay for something online another transaction happens within a few minutes, the PC is 7 pro and had been using security essentials , now have pro avast installed and full scans are showing up nothing, full scan of malwarebytes also and again nothing returned.
    Normally I would rebuild the OS and start but this PC took an age to get right with various standalone software that rebuild would be a nightmare for me.

    Any suggestions on what virus we could have on this and what scanning tools I could use. I want to get him to test from another device on the same network to make sure the ISP is not the problem.
    Any suggestions welcome .


Comments

  • Registered Users, Registered Users 2 Posts: 1,347 ✭✭✭Rackstar


    Bite the bullet and rebuild.


  • Registered Users, Registered Users 2 Posts: 2,114 ✭✭✭ItHurtsWhenIP


    I'd be inclined to agree with Rackstar.

    I did a clean up of adware shyte on a neighbours laptop recently, really ingrained bugger too. I ended up using rkill, AdwCleaner, followed by Malware Bytes, rounding off with Hitman Pro and then resetting Chrome. :eek:

    Took a while, but got it clean. If those don't do it for you ... rebuild it and it will come ;).


  • Posts: 0 [Deleted User]


    Hey bennyc, I'd first be trying to answer the question "Is the system actually infected".

    I'm guessing you've manually checked common malware locations and persistence.....

    There are a few things you could do,
    - First I'd start monitoring all network traffic outbound from the system, looking for suspicious HTTP GET or POST and dodgy domain requests around the same time as an online purchase.
    - Check log files for any suspicious entries around the same time frame
    - Take a full file listing 10 minutes after online purchase and check modified time stamps, could be keylogging to a local file first.

    I'd start with those, the key really should be in the network traffic. If there is no network traffic very shortly after the transaction then it's likely not a local infection. Is it a home user or corporate? Don't forget that anything along the egress route could be modifying/snooping traffic. Maybe DNS has been modified, somebody is MITM, router is compromised.... Many different possibilities.

    Best of luck!


  • Closed Accounts Posts: 22,648 ✭✭✭✭beauf


    Perhaps some of their online accounts are hacked.


  • Posts: 0 [Deleted User]


    Any update on this?


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 1,907 ✭✭✭bennyc


    Hey bennyc, I'd first be trying to answer the question "Is the system actually infected".

    I'm guessing you've manually checked common malware locations and persistence.....

    There are a few things you could do,
    - First I'd start monitoring all network traffic outbound from the system, looking for suspicious HTTP GET or POST and dodgy domain requests around the same time as an online purchase.
    - Check log files for any suspicious entries around the same time frame
    - Take a full file listing 10 minutes after online purchase and check modified time stamps, could be keylogging to a local file first.

    I'd start with those, the key really should be in the network traffic. If there is no network traffic very shortly after the transaction then it's likely not a local infection. Is it a home user or corporate? Don't forget that anything along the egress route could be modifying/snooping traffic. Maybe DNS has been modified, somebody is MITM, router is compromised.... Many different possibilities.

    Best of luck!

    Thanks for this, basically its a home user with a small business , I have had them do some purchases from another laptop on the same network without issue, the bank have now blacklisted the PC's IP so no transactions can be made on it although I do not see the point here giving that the PC was not doing the purchases but they were from afar. Also the IP I am sure will be from the router so they have prob blocked all from the house now. So I have ran the likes of Stinger and done full systems scans and found nothing. Removed the disk slaved it and ran a scan from McAfee also.

    A rebuild is the next step. I am sickened as I took a clone of the C after I built the machine early in the year. I needed my disk for another job so I went up and did a fresh clone on another disk but this was after the disk would have been infected and before anyone noticed. I think I wiped the disk about 2 days before i was found out about this. The way I build this machine there are a couple of disks on it will all apps on C and all User data is on the other disks. The pain is reinstalling paid for apps as these will need new license and a support call.


  • Posts: 0 [Deleted User]


    bennyc wrote: »
    Thanks for this, basically its a home user with a small business , I have had them do some purchases from another laptop on the same network without issue, the bank have now blacklisted the PC's IP so no transactions can be made on it although I do not see the point here giving that the PC was not doing the purchases but they were from afar. Also the IP I am sure will be from the router so they have prob blocked all from the house now. So I have ran the likes of Stinger and done full systems scans and found nothing. Removed the disk slaved it and ran a scan from McAfee also.

    A rebuild is the next step. I am sickened as I took a clone of the C after I built the machine early in the year. I needed my disk for another job so I went up and did a fresh clone on another disk but this was after the disk would have been infected and before anyone noticed. I think I wiped the disk about 2 days before i was found out about this. The way I build this machine there are a couple of disks on it will all apps on C and all User data is on the other disks. The pain is reinstalling paid for apps as these will need new license and a support call.

    Thats a shame, if common anti-virus solutions are not detecting it then the next step is a manual inspection and it's quite time consuming.

    If you do the rebuild deff recommend grabbing an external HDD and backing up regularly so if this happens again and it's not detected by AV they can just roll back to a previous snapshot. You'd be surprised how many big enterprises make a process decision that they would rather wipe the system than attempt to remediate even when we provide a detailed analysis of the infection. I guess it comes down to risk level and time....

    If the bank have blocked the IP then yes you're correct it's going to be their public IP address. If it's not a statically assigned IP then they could unplug their modem/router for a couple of hours in the hope that their public IP is reassigned by their ISP (Depending on the ISP).


Advertisement