Credit Card getting cloned

bennyc

I am working on a PC and the end user keeps having their credit card cloned, every time they pay for something online another transaction happens within a few minutes, the PC is 7 pro and had been using security essentials , now have pro avast installed and full scans are showing up nothing, full scan of malwarebytes also and again nothing returned.
Normally I would rebuild the OS and start but this PC took an age to get right with various standalone software that rebuild would be a nightmare for me.

Any suggestions on what virus we could have on this and what scanning tools I could use. I want to get him to test from another device on the same network to make sure the ISP is not the problem.
Any suggestions welcome .

Rackstar

Bite the bullet and rebuild.

ItHurtsWhenIP

I'd be inclined to agree with Rackstar.

I did a clean up of adware shyte on a neighbours laptop recently, really ingrained bugger too. I ended up using rkill, AdwCleaner, followed by Malware Bytes, rounding off with Hitman Pro and then resetting Chrome. :eek:

Took a while, but got it clean. If those don't do it for you ... rebuild it and it will come .

Hey bennyc, I'd first be trying to answer the question "Is the system actually infected".

I'm guessing you've manually checked common malware locations and persistence.....

There are a few things you could do,
- First I'd start monitoring all network traffic outbound from the system, looking for suspicious HTTP GET or POST and dodgy domain requests around the same time as an online purchase.
- Check log files for any suspicious entries around the same time frame
- Take a full file listing 10 minutes after online purchase and check modified time stamps, could be keylogging to a local file first.

I'd start with those, the key really should be in the network traffic. If there is no network traffic very shortly after the transaction then it's likely not a local infection. Is it a home user or corporate? Don't forget that anything along the egress route could be modifying/snooping traffic. Maybe DNS has been modified, somebody is MITM, router is compromised.... Many different possibilities.

Best of luck!

beauf

Perhaps some of their online accounts are hacked.

Any update on this?

bennyc

Deleted User wrote: »

Hey bennyc, I'd first be trying to answer the question "Is the system actually infected".

I'm guessing you've manually checked common malware locations and persistence.....

There are a few things you could do,
- First I'd start monitoring all network traffic outbound from the system, looking for suspicious HTTP GET or POST and dodgy domain requests around the same time as an online purchase.
- Check log files for any suspicious entries around the same time frame
- Take a full file listing 10 minutes after online purchase and check modified time stamps, could be keylogging to a local file first.

I'd start with those, the key really should be in the network traffic. If there is no network traffic very shortly after the transaction then it's likely not a local infection. Is it a home user or corporate? Don't forget that anything along the egress route could be modifying/snooping traffic. Maybe DNS has been modified, somebody is MITM, router is compromised.... Many different possibilities.

Best of luck!

Thanks for this, basically its a home user with a small business , I have had them do some purchases from another laptop on the same network without issue, the bank have now blacklisted the PC's IP so no transactions can be made on it although I do not see the point here giving that the PC was not doing the purchases but they were from afar. Also the IP I am sure will be from the router so they have prob blocked all from the house now. So I have ran the likes of Stinger and done full systems scans and found nothing. Removed the disk slaved it and ran a scan from McAfee also.

A rebuild is the next step. I am sickened as I took a clone of the C after I built the machine early in the year. I needed my disk for another job so I went up and did a fresh clone on another disk but this was after the disk would have been infected and before anyone noticed. I think I wiped the disk about 2 days before i was found out about this. The way I build this machine there are a couple of disks on it will all apps on C and all User data is on the other disks. The pain is reinstalling paid for apps as these will need new license and a support call.

bennyc

bennyc wrote: »

Thanks for this, basically its a home user with a small business , I have had them do some purchases from another laptop on the same network without issue, the bank have now blacklisted the PC's IP so no transactions can be made on it although I do not see the point here giving that the PC was not doing the purchases but they were from afar. Also the IP I am sure will be from the router so they have prob blocked all from the house now. So I have ran the likes of Stinger and done full systems scans and found nothing. Removed the disk slaved it and ran a scan from McAfee also.

A rebuild is the next step. I am sickened as I took a clone of the C after I built the machine early in the year. I needed my disk for another job so I went up and did a fresh clone on another disk but this was after the disk would have been infected and before anyone noticed. I think I wiped the disk about 2 days before i was found out about this. The way I build this machine there are a couple of disks on it will all apps on C and all User data is on the other disks. The pain is reinstalling paid for apps as these will need new license and a support call.

Thats a shame, if common anti-virus solutions are not detecting it then the next step is a manual inspection and it's quite time consuming.

If you do the rebuild deff recommend grabbing an external HDD and backing up regularly so if this happens again and it's not detected by AV they can just roll back to a previous snapshot. You'd be surprised how many big enterprises make a process decision that they would rather wipe the system than attempt to remediate even when we provide a detailed analysis of the infection. I guess it comes down to risk level and time....

If the bank have blocked the IP then yes you're correct it's going to be their public IP address. If it's not a statically assigned IP then they could unplug their modem/router for a couple of hours in the hope that their public IP is reassigned by their ISP (Depending on the ISP).