 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Forum / Security / Internet Explorer Security / October 2008Citibank hacked - or my PC?
When logging into my Citibank account I'm getting a wired web page just after logon. I basically asks me about every possible private data. The web page doesn't look like Citibank. It doens't relaly matter what userid pwd i'm netering I'm always getting to this web page. I did run all possible virus scanners, Adaware an so on. Couldn't find anything yet. BTW. The strange web page link ends with ProcessUsernameSignon.do I'm afraid my PC is infected somehow. Help is appreciated. > When logging into my Citibank account I'm getting a wired web page just > after [quoted text clipped - 8 lines] > > I'm afraid my PC is infected somehow. Help is appreciated. Do a thorough check for malware, following all of the steps at one of these Web pages, including HijackThis. Help with malware: All MS-MVP Sites. http://aumha.org/a/parasite.htm http://aumha.org/a/quickfix.htm http://www.elephantboycomputers.com/page2.html#Removing_Malware http://mvps.org/winhelp2002/unwanted.htm http://inetexplorer.mvps.org/darnit.html http://www.mvps.org/sramesh2k/Malware_Defence.htm Unexplained computer behavior may be caused by deceptive software. http://support.microsoft.com/kb/827315 So How Did I Get Infected Anyway? For quite a few people it's by installing programs like Messenger Plus, whose ads for malware don't identify the malware as such and try to convince you that you owe it to the author. See also: http://www.wilderssecurity.com/showthread.php?t=27971 Don't ever do a "default" install of anything. Always choose Custom and see what else is being carried along. Don't install any extras you're not sure of.  SignatureFrank Saunders MS-MVP IE,OE/WM Do not reply with email Hi, I'm claiming that I did it all. But I did run many virus, spyware tools in the meantime incl. HjackTHis, Adaware,.. It seems that my issue is described here: http://www.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_BANKE R.KXV&VSect=Td With the difference that the issue/resolution does not match (e.g. the referenced files). What is also interesting is if I enter "ProcessUsernameSignon.do" in my google search bar I'm getting an error from proxy. If I enter "ProcessUsernameSignon" I'm geeting google search results. It is as if .do makes some calls on its own to the web? > > When logging into my Citibank account I'm getting a wired web page just > > after [quoted text clipped - 31 lines] > what else is being carried along. Don't install any extras you're not sure > of. When all else fails, HijackThis v2.0.2 (http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use (in conjuction with some other utilities). HijackThis will NOT fix anything on its own, but it will help you to both identify and remove any hijackware/spyware with assistance from an expert. **Post your log to http://aumha.net/viewforum.php?f=30, http://forums.spybot.info/forumdisplay.php?f=22, http://spywarehammer.com/simplemachinesforum/index.php?board=10.0, or other appropriate forums for review by an expert in such matters, not here.** NB: Call Citibank and tell them about this. At the very least, you will want to (1) change any/all passwords and (2) close any credit cards (replace with new cards w/new numbers). Do NOT do any of this online!!! Closely monitor all credit card activity as well as your credit reports for at least 2 years! Signature~Robear Dyer (PA Bear) MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002 AumHa VSOP & Admin http://aumha.net DTS-L http://dts-l.net/ > Hi, > [quoted text clipped - 54 lines] >> Frank Saunders MS-MVP IE,OE/WM >> Do not reply with email Where did you post your HiJackThis log? (Not Here) > Hi, > [quoted text clipped - 53 lines] >> sure >> of. > When logging into my Citibank account I'm getting a wired web page just after > logon. What is a "wired web page"? > I basically asks me about every possible private data. A home page won't be asking you about your account data. Not until you login can you then update your account details. > The web page > doesn't look like Citibank. The it probably isn't Citibank's web page. > It doens't relaly matter what userid pwd i'm netering I'm always getting to > this web page. Oh, now "this web page" is not the home page for Citibank? It isn't Citibank's login page? You actually provided your real login credentials to a web page that you already knew looked phishy? > I did run all possible virus scanners, Adaware an so on. All that says is that you ran Ad-Aware, not what else you used. > Couldn't find anything yet. > > BTW. The strange web page link ends with ProcessUsernameSignon.do Parameters in the URL are unimportant. The domain is what is important. Are you saying that processusernamesignon.do is the domain name? If so, .do is the top-level domain for the Dominican Republic (see http://www.iana.org/domains/root/db/do.html). If you enter the IP address (instead of IP address) for Citibank, do you get to Citibank's home page? Try: http://192.193.217.120 That will only check if you can get to their home page using an IP address. You probably can't do much there since most web sites use their domain names in the paths to the other pages or sister sites. > I'm afraid my PC is infected somehow. Help is appreciated. Possibly. Tried rebooting into Windows' safe mode (with networking) and retesting? Hi All, I posted my log file over at http://aumha.net/viewtopic.php?f=30&t=36562&sid=df5ad217e6da7fab9c438fa1fb0bb615 Thanks! > > When logging into my Citibank account I'm getting a wired web page just after > > logon. [quoted text clipped - 46 lines] > Possibly. Tried rebooting into Windows' safe mode (with networking) and > retesting? quest wrote: > "VanguardLH" wrote: > [quoted text clipped - 51 lines] > > I posted my log file over at: http://aumha.net/viewtopic.php?f=30&t=36562&sid=df5ad217e6da7fab9c438fa1fb0bb615 Did Citibank recently gobble up your original account at some other bank? Could be you are having to open a new account at Citibank and they need that personal info to populate your new online account with them. Would need to know how you navigate from their home page at www.citibank.com to get to the web page of which you are suspicious. Well, from any other computer I'm not navigated to the "strange" site. Same procedure: 1.) www.citibank.com 2.) click "Sign On" 3.) Enter the user credential and hit Sign on. This lands me on other computers on my accounts. With the computer in question on https://online.citibank.com/US/JSO/signon/ProcessUsernameSignon.do > quest wrote: > [quoted text clipped - 61 lines] > Would need to know how you navigate from their home page at > www.citibank.com to get to the web page of which you are suspicious. > Well, from any other computer I'm not navigated to the "strange" site. > [quoted text clipped - 5 lines] > This lands me on other computers on my accounts. With the computer in > question on https://online.citibank.com/US/JSO/signon/ProcessUsernameSignon.do At step 2, the web page displayed has the login credential inputs (userid and password). If you right-click in the frame containing those input boxes and select View Source, you'll see all of Citibank's server-side scripts end in .do, and the one you mention in step 3 is also part of their script so it's no surprise you end up at a page with that script's name. You'll have to ask Citibank what triggers their need to obtain your personal info when accessing your account from different computers. Maybe they expect you to save their cookie. Did you ever purge your browser's temp file cache, and cookies, too? From what you showed over in the aumha forum, maybe you have entries in an ad-blocking hosts file or you are using ad-blocking software which means the web page doesn't look like a Citibank web page because you've blocked that content. The image you showed in the aumha forum has red X's and is missing other graphics. Something on your problematic computer is blocking content from being delivered from that web page. Meanwhile... See my previous reply! Do NOT enter any information on the page illustrated in the screenshot you posted in AumHa Forums! Log-in here only, once you've gotten a new CC number and password and have gotten the machine cleaned-up: http://www.citi.com Citibank Contact Us page http://www.citi.com/domain/contact/index.htm Signature~Robear Dyer (PA Bear) MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002 AumHa VSOP & Admin http://aumha.net DTS-L http://dts-l.net/ > Hi All, > [quoted text clipped - 53 lines] >> Possibly. Tried rebooting into Windows' safe mode (with networking) and >> retesting? I will certainly call Citi. BTW. In the meantime I rebooted and the problem went away. Is there something like memeory only malware? > Meanwhile... > [quoted text clipped - 65 lines] > >> Possibly. Tried rebooting into Windows' safe mode (with networking) and > >> retesting? I'd doubt it. What's more possible is that either your McAfee suite and/or Ad-Aware detected the hijackware but it was only removed after rebooting. I have posted about your apparent success/resolution in your thread at AumHa Forums. Signature~PA Bear > I will certainly call Citi. > [quoted text clipped - 85 lines] >>>> and >>>> retesting? |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2009 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.