Hi,

I'm Tham from Kuala Lumpur, Malaysia.

I would be happy if anyone could enlighten
me on the following situation.

One of my female friends in the Dayton, Ohio, purchased
some vitamin supplements online from a supplier in
California earlier this month. The order form on their
website was secure with 128-bit encryption.

Several days later, it seems someone accessed her
account on this supplier's website and ordered some
products for himself using her credit card. He did the
same thing at two other sites, which my friend had visited
and bought stuff from about the same time as the
vitamin supplier.

Since these sites are all secure, he was very unlikely to
have obtained her credit card number when her orders
were being transmitted. Thus my first hunch was this guy
had inserted keystroke logger malware on her computer,
obtaining her username and password for each account
she created at all three sites. He didn't need her credit
card number, which had already being stored in her
account on these merchants' servers.

However, scans with A-squared, Ewido and Ad-aware did
not seem to detect any malware. Nor did her McAfee
antivirus.

This leaves me very puzzled. Could it be perhaps I have
read that while the site itself is secure, the line between
the user and the site itself is not, and any data being
transmitted is open to interception ?

Thank you very much.


Kind regards,

Tham

I don't have much dealings with the data communication aspects in my line of work, however, I do know that any communication can be intercepted when you send or receive data though any communication line. Most servers try to encrypt the information so that only the sender and receiver will be able to see the "actual" information. Any hacker would only see garbage data if it should be intercepted. A lot of recent news reports of company websites and databases being hacked and their customer information being accessed by intruders raise concerns on how secure your data is when you buy something online. I wouldn't discount that possibility in your situation. You probably need a IT communication specialist to research which may have happened in your case.

Find out if anyone, roommates, family members, friends, spouse, could have used her computer to place the order.
Find out if it is possible to place orders with just the user name and password or do you need to enter the full credit card number every order.
Find out if she is using a wireless technology like wireless keyboard or wireless router/access point and lives in close proximity to others like an apartment or nearby houses.
Did she use the same user name and password for all 3 stores?
Was it a weak password less than 8 characters and using common words/names found in a dictionary?
Did she ever open an email attachment?
Was she a safe computer user? Or did she suddenly become a safe user after the incident?

Besides the 3 charges, are there any other unauthorized charges on her card?
She should contact the stores to cancel the orders and notify them of a possible data breach.
It is difficult to tell if the store was hacked or her computer at this point with limited info.
If the store cannot cancel the orders and credit her account, then she should contact her credit card company and reverse the charges and get a new card.
If she uses the same password everywhere, she should change that behavior. Something like RoboForm can help.

Find out as much info as possible about the "people" who placed the bogus orders.
Where was the order shipped to? In the same state?
Especially contact the store and ask for the IP address that the order was placed with.
This will help her hunt them down.

If there was a padlock in the browser during entry of credit card details, then the connection between the browser and the store was secure. If her computer or the store is compromised, then it doesn't matter if the connection was secure because the data at either end is decrypted.

Thanks, Ccsito and Devinco.

She was the only one who used the computer. She
stays alone in a small apartment. Her grandkids come
visiting occasionally, but they are too young and her
children don't use her computer.

She is using a normal CPU, not wireless or laptop.

Yes, unfortunately she used the same user name and
password, six characters. She said she didn't open any
email attachments around that time.

However, the user account creation form on one of
these sites, for some free samples order, which
required the filling of credit card details, was unencrypted.
This was puzzling, since they had a link for verification
on Verisign's website at the bottom, beside the windows
where one filled the credit card numbers, which verifies
the site's security. I'm not sure if the next page was
encrypted when one clicks the button and transmits the data.
Looks like a UK store.

hxxp://www.bouldernature.com/OrderForm.do?layout=cortiban1page&referrer=hp&program=69


All three stores refunded her money and credited her
account. That's something good about American and
UK stores, I think. In Malaysia, they don't really do
that and one is left to fill in a dispute form with the
credit card company, which can be weeks before and
IF they credit you back. She got her money back within
a couple of days after getting her card statement and
notifying the card company and merchants. The card
company (the bank) is investigating and has notified the
police.

I told her to access her accounts on the three sites and
from the order history, find out where those bogus
orders were delivered and contact the store to get
the IP address where the orders came from, but she was
afraid to mess around gain (she's almost computer
illiterate) and wanted to leave it to the police.

I did get her to scan with F-secure's Black Light rootkit
scanner, and she said it found and deleted two items,
didn't know what they were. Maybe those were preventing
the malware scanners from detecting the malwares.
I also told her to stop using Internet Explorer immediately
and switch over to SeaMonkey, Mozilla or Firefox, which
she did.

http://www.majorgeeks.com/F-Secure_BlackLight_d5156.html


She's scanning with Ewido now. Thanks again.

I have a question, how's the hardware configuration? I mean, over the "networking" and internet connection thingy, if you do have a LAN, or VPN or anything similiar to that, then I do suggest you read my point of view.

In Hong Kong recently there is a case that a kid installed a keylogger over the target's computer and kinda mess up someone's life around, well, I'll skip the software part because it's not a major concern since we have programs that can give us a better view what the hell is going on; that kid was caught because the software is found;
the point is: what if he uses a hardware keylogger? that you don't even noticed? only once for a night and unplugged next morning can leak so many information already.

AND this is even WORSE(if you are in a LAN): ever heard of "man-in-the-middle" attack? yea, you can still connect to the site and do all encryption as they says, thus I don't need to hack either you nor that company's computer, because my target is "you", from your case, I don't think it's you that having a bad luck and having a few different accounts stolen off the edge. This is how it works, I'll tell you computer to connect to me first, then off to the internet, even website with encryption can still steal ANY information, no matter what IDs and passwords, he/she'll have a record of ANYTHING YOU EVER TYPED and PRESS ENTER(well, as much as he sets those field_id up, it's totally possible and do-able).


"That program" is possible to "listen" over all major communication ports, such as HTTP, telnet, RDP(Remote Desktop Connection), SMTP, etc.

So......
I'd say......you obviously get "plugged".....
better paid someone to honeypot him...... lol.....

{QUOTE-> She was the only one who used the computer. She
stays alone in a small apartment. Her grandkids come
visiting occasionally, but they are too young and her
children don't use her computer.

She is using a normal CPU, not wireless or laptop. <-QUOTE}
OK. That removes some possibilities.
It is not a MitM (Man in the Middle) attack. A hardware keylogger is extremely unlikely as it would require physical access to the computer twice (once to plant the device and once to retrieve it).
A software keylogger is possible to pick up remotely with a malware infection.
It is also possible to install a software keylogger with physical access to the computer, but this is again very unlikely.

{QUOTE-> Yes, unfortunately she used the same user name and
password, six characters. <-QUOTE}
That is not a very strong password. Then it may have been that some kids just brute forced the account by trying lots of variations.
Here is some advice on passwords:
http://geodsoft.com/howto/password/password_advice.htm

{QUOTE-> She said she didn't open any email attachments around that time. <-QUOTE}
That's good. She will benefit if she learns a little about computer self-defense.


{QUOTE-> However, the user account creation form on one of
these sites, for some free samples order, which
required the filling of credit card details, was unencrypted.
This was puzzling, since they had a link for verification
on Verisign's website at the bottom, beside the windows
where one filled the credit card numbers, which verifies
the site's security. I'm not sure if the next page was
encrypted when one clicks the button and transmits the data.
Looks like a UK store.

hxxp://www.bouldernature.com/OrderForm.do?layout=cortiban1page&referrer=hp&program=69 <-QUOTE}
The form on this page DOES submit to a secure url:
hxxps://www.bouldernature.com/OrderProcess.do
So the data submitted there was secure between her web browser and the website.
Packet sniffers along the way would not be able to see the contents of the connection.

It is not the best way for a site to set up such a page, because you cannot view the certificate of the domain that you are submitting to. The page could have just as easily been secure (have the padlock) and would make the customer at least feel more secure.

The website is owned by Whole Health Products, Inc. which is based in Colorado.


{QUOTE-> All three stores refunded her money and credited her
account. That's something good about American and
UK stores, I think. In Malaysia, they don't really do
that and one is left to fill in a dispute form with the
credit card company, which can be weeks before and
IF they credit you back. She got her money back within
a couple of days after getting her card statement and
notifying the card company and merchants. The card
company (the bank) is investigating and has notified the
police.

I told her to access her accounts on the three sites and
from the order history, find out where those bogus
orders were delivered and contact the store to get
the IP address where the orders came from, but she was
afraid to mess around gain (she's almost computer
illiterate) and wanted to leave it to the police. <-QUOTE}
That's good she was credited by the stores. She should also request a new credit card and watch her statements.
That's too bad she does not want to investigate further, because the police and the credit card banks will do nothing about it.

{QUOTE-> I did get her to scan with F-secure's Black Light rootkit
scanner, and she said it found and deleted two items,
didn't know what they were. Maybe those were preventing
the malware scanners from detecting the malwares.
I also told her to stop using Internet Explorer immediately
and switch over to SeaMonkey, Mozilla or Firefox, which
she did.

http://www.majorgeeks.com/F-Secure_BlackLight_d5156.html


She's scanning with Ewido now. Thanks again. <-QUOTE}
It still could be malware. Hopefully with your help, she will be rid of it.
I wish her good luck.

Thanks again, Devinco.

{QUOTE-> The form on this page DOES submit to a secure url.
(Moderators, my apologies, I didn't realize it might not have been
ethical to post a link to a merchant.)
So the data submitted there was secure between her web browser
and the website. Packet sniffers along the way would not
be able to see the contents of the connection. <-QUOTE}

Yes, I did try clicking the "Order Now" button on the Boulder Nature
form, and the next page opened up with 256-bit encryption. The data
would then appear to have been encrypted during transmission.
However, that first page itself did not appear to be secure (no padlock ?).
Thus, if there was a keylogger on her system, might the hacker
technically have been able to record the keystrokes of her username
and password, as she filled in the form, before sending it off ?

After using the Black Light rootkit scanner, scans with Ewido and
Super AntiSpyware didn't seem to detect anything again, though.
Quite puzzling.

Another possible explanation might be he did manage
to decrypt the transmission. At the Defence Services Asia
2004 exhibition in Kuala Lumpur, I happened to chat with
an executive at one of the stands who supplied flash memory to
the military. He said he actually had the software to decrypt
128 and 256-bit encryption, but it would take from 6 months
to a year.

However, I didn't knew it would be this easy :

http://www.tinhat.com/surveillance/code_breaking.html


She mentioned yesterday that the police called and asked if
she was willing to testify in court, so possibly they had caught
the culprit(s).

{QUOTE-> However, that first page itself did not appear to be secure (no padlock ?).
Thus, if there was a keylogger on her system, might the hacker
technically have been able to record the keystrokes of her username
and password, as she filled in the form, before sending it off ? <-QUOTE}
The padlock means that there is a secure connection between the web browser and the website. Anyone "listening" (packet sniffers) in between the browser and website will only get encrypted data, useless to them.
A keylogger is a program that is in between the keyboard driver and operating system. So if there is a keylogger installed, it will capture all the keys typed whether she is online or offline, secure website, or regular website.

{QUOTE-> After using the Black Light rootkit scanner, scans with Ewido and
Super AntiSpyware didn't seem to detect anything again, though.
Quite puzzling. <-QUOTE}
Ewido and Super AntiSpyware are easy to use, but Rootkit scanners usually require more technical expertise to use effectively.

{QUOTE-> Another possible explanation might be he did manage
to decrypt the transmission. At the Defence Services Asia
2004 exhibition in Kuala Lumpur, I happened to chat with
an executive at one of the stands who supplied flash memory to
the military. He said he actually had the software to decrypt
128 and 256-bit encryption, but it would take from 6 months
to a year.

However, I didn't knew it would be this easy :

http://www.tinhat.com/surveillance/code_breaking.html <-QUOTE}
I really doubt a petty thief would be able to crack 256 bit SSL encryption.
Don't buy into all of the tinfoil hat conspiracies.
Yes there are a lot of bad things going on, and governments have powerful tools, but I don't think it is the case here.
I think either the website had some vulnerability, her password was too weak, or her computer was compromised.

{QUOTE-> She mentioned yesterday that the police called and asked if
she was willing to testify in court, so possibly they had caught
the culprit(s). <-QUOTE}Well that will be a first!
Let us know what happens and how the website accounts were actually broken into.
Then maybe we can all learn how to prevent this from happening again.

I had never had any problems with Credit Card use on the internet. Today, nearly just a month after testing (and finally buying) NOD32 I get a call telling me that my credit card has been used from Great Britain.

Earlier today I also received an email from Ebay saying that my account info had been compromised and I needed to change the password. No, I did not give my credit card info to anyone through some stupid phishing email... I am concerned that NOD32 is not doing its job with OUTLOOK.

Getting a hold of phone support isn't working either. :thumbd:

Welcome to Wilders DJ BIS.
Are you implying that the Eset website had a security breach with your credit card?
You might want to post in the NOD forum so that they can learn about this.
But I don't think the loss of your credit card number was because of a lapse at a computer security company. It's not impossible, just very unlikely.
I've never had a problem with paying by credit card for years at Eset.
There are data breachs going on everywhere lately, so your card data could have been leaked from elsewhere.
The breach could have happened months ago and the crooks are only now getting to your account.

DEVINCO, thanks for the quick reply.
No, I have been experiencing some problems with the EMON module and having some other issues with NOD32 and OUTLOOK. I had been using PC-Cillin for years until a friend recommended NOD32 to lower resource demand on my system. So I did it and a few days later there are transactions being made from Europe with my credit card.

I don't shop from unsecured sites and my data is rather safe in my home.

I have a feeling that NOD32 missed something and could be the reason why I am going through this.

I hope thats more clear. :)

{QUOTE->
Earlier today I also received an email from Ebay saying that my account info had been compromised and I needed to change the password. <-QUOTE}

I receive these con mails all the time. Here's one attached, traced
to Romania. This Melissa IP Locator is quite good, I used a couple
others, All Nettools and Geobytes, which couldn't trace anything.


http://www.melissadata.com/Lookups/iplocation.asp?ipaddress=86.105.45.8&submit=submit

http://www.all-nettools.com/toolbox

http://www.geobytes.com/IpLocator.htm

{QUOTE->
I had been using PC-Cillin for years until a friend recommended NOD32 to lower resource demand on my system. <-QUOTE}

Avira's Antivir, even the free version, is actually quite
good. A few months ago, I was infected with a trojan
horse which I think was part of the Spywarequake
program and inserted some 16 files in my window's system32
folder which became memory resident, as well as
numerous registry entries.

It kept popping up the usual "Your computer is infected
with spyware, etc" on my desktop, and an icon in the
taskbar. I found the registry entries in the startup "run"
section and deleted them, but they were regenerated
on rebooting. I had AVG resident and it was useless.

I downloaded the shareware version of Prevx1, which
detected and removed all the registry entries and all
the memory resident files except one, dvdcap.dll, which
was the culprit responsible for regenerating the registry
entries and for some reason could not be removed. I tried
downloading Antivir, ran it, and it detected this file but
couldn't remove it as well.

I was thinking of going into safe mode and removing
it manually, but finally I ran Avast, which detected it and
was able to take it out from memory in windows.

I decided to test whether the three antivirus programs could
detect the 15 files quarantined by Prevx1. Both AVG and Avast
couldn't detect anything. Antivir, however, detected 14 of
them, missing only one. The scan log is attached.

Since Prevx1 is shareware, I've since taken it out and am using the
free version of Antivir. Memory usage is about 20 mb, compared to
40 mb for the paid premium version which can further detect scripts.

Hi tham!
a totally unrelated Q but I want to know why someone need to buy Vitamin online? I just wonder.
Online vitamin sales are useless I think, they just deceive the people( even secure). Correct me if I am wrong. It,s OT but I could not resist. Sorry.

Well if you are talking about buying those little blue pills online, then I agree. ;D
But there are very reputable vitamin suppliers online.
You just have to find the ones with a good reputation.

Ya, I mean all that but in my knowledge more than 90 % of people who buy Vitamins don,t need them medically.
Now I will stop here as some mod will sure come in otherwise.

Vitamins are enzymes used by the body to perform your daily internal bodily functions (such as antioxidants to neutralize free radicals). In many cases, small amounts are needed to avoid getting nasty medical problems (such as tumors). However, I do agree that the megadoses that some people take can work against you. I think most people don't take the recommended minimum daily amounts so they could be neglecting their health. But anyhow that is straying off the topic (I majored in Biology). ;D

{QUOTE->
Hi tham!
A totally unrelated Q but I want to know why someone need to buy vitamins online? I just wonder. Online vitamin sales are useless I think, they just deceive the people (even secure). Correct me if I am wrong.
It's OT but I could not resist. <-QUOTE}

{QUOTE->
Ya, I mean all that but in my knowledge more than 90 % of people
who buy vitamins don't need them medically. <-QUOTE}


No, don't believe what you may read in the newspapers every
now and then about some "expert" (doctors, hospital dieticians,
professors, etc) telling you that we get all the nutrients we need
from a "balanced" diet, that vitamin supplements are a complete
waste of money, the supplement industry is a multi-billion dollar
rip-off, etc etc. (as my office manager mentioned, what the ****
do these people know about vitamins ?). Common sense will dictate
that, even if we can eat a completely nutritious and perfectly balanced
diet (which is realistically impossible), what are the chances of our
gastrointestinal systems absorbing all the essential nutrients, or
sufficient amounts of them, particulary as we age ? And, even if
(theoretically) we can absorb everything, what are the chances of
them all being sufficiently transported to our cells, particularly the
brain ?

This might sound like something from "Space 2020" to you.
I'm what you call a life extensionist - "freaks" who takes not only
basic vitamins, but cutting-edge supplements and even some
drugs in an attempt to live longer, or at least healthier in old age.
I've been studying aging for the past twenty years. I'm quite familiar
with the usual theories of aging - the free radical theory, the
Hayflick limit, the cross-linking theory, the neuroendocrine theory,
the mitochondrial theory and the "newest kid on the block" - the
telomerase theory. I first took an interest in this when I bought two
books, "Meganutrition" by Richard Kunin and "Ageless Aging" by
Leslie Kenton, way back in 1986.

I know for a fact that supplements, particularly the cutting-edge ones,
slow down aging, help to prevent the degenerative diseases of aging,
boost your chances of living longer or, at the very least, live healthier
as you age. That, I am very certain. You will not only look younger for
your chronological age compared to your peers, your body will stay
younger. You'll have far less likelihood, as you age, of getting heart
disease, cancer, diabetes, neurological diseases such as Alzheimer's,
Parkinson's and general memory impairment and senility. And even if
you have such diseases, supplements will help to treat and improve
them. It's never too late to fight aging. Don't buy what doctors tell us
that you can't do anything about aging, that it can't be "treated".
True, death is inevitable, but there's a lot you can do to delay it and
likely extend your lifespan. There may be only one catch to living to
120 though. My office manager said that I'll be a lonely old man by
then - all my relatives and friends would be long dead !

Here's an example of a common vitamin having cancer-fighting
properties. The "dry" form of vitamin E, called tocopherol succinate,
has the ability to cause cancer cell apoptosis (programmed cell death).
The bulk of the research is on breast, prostate and colon cancer.
The more common oily form which you find in softgels, which is
tocopherol acetate, does not appear to have this powerful activity,
or even if it has, is likely not so potent. You can find tocopherol
succinate in any health food store in the USA. That is why I order
most of my supplements online - you won't find supplements like this,
let alone the cutting-edge ones like acetyl l-carnitine and astaxanthin,
in Malaysia.

The links are from Medline, which I access every now and then :

http://www.ncbi.nlm.nih.gov/entrez/queryd.fcgi?db=pubmed&cmd=Retrieve&dopt=AbstractPlus&list_uids=10945959&itool=pubmed_docsum

http://www.ncbi.nlm.nih.gov/entrez/queryd.fcgi?db=pubmed&cmd=Retrieve&dopt=AbstractPlus&list_uids=15570054&itool=pubmed_docsum

http://www.ncbi.nlm.nih.gov/entrez/queryd.fcgi?db=pubmed&cmd=Retrieve&dopt=AbstractPlus&list_uids=16380976&itool=pubmed_docsum

http://www.ncbi.nlm.nih.gov/entrez/queryd.fcgi?db=pubmed&cmd=Retrieve&dopt=AbstractPlus&list_uids=11895920&itool=pubmed_docsum

http://www.ncbi.nlm.nih.gov/entrez/queryd.fcgi?db=pubmed&cmd=Retrieve&dopt=AbstractPlus&list_uids=12175981&itool=pubmed_docsum


I order mostly from Betterlife.com in Santa Ana, which was the one I
linked to my lady friend from Dayton above. She had diabetes, so I
suggested to her to try chromium which improves the cell's response
to insulin, and in doing so, lowers blood sugar. She later ordered
a multi for diabetics, and some others to prevent osteoporosis too.
I've been ordering from them for the past few years, and they are
quite reliable. Betterlife, like many others online, is actually a retailer,
and they source from many reputable brands like Now, Source Naturals,
Solaray, Kal, Twinlab and Rainbow Light. For a good, comprehensive,
advanced and not too pricey multivitamin formula, here is what I get for
my brother :

http://betterlife.com/prod_home_page.asp?prod_id=7629


If you wish to know more about life extension, here are three
of the principal sites on the net :

http://www.lef.org/

http://www.worldhealth.net/

http://www.imminst.org/


Really serious life extensionists take a whole range of cutting-edge
supplements and drugs daily (easily 30 different types) in addition to
an advanced, expensive basic multivit formula and practice things like
caloric restriction (CR), which I don't. CR is a proven technique of
extending lifespan in animals :

http://www.calorierestriction.org/


Here are two of the better known multi formulas taken by life
extensionists :

http://www.lef.org/newshop/items/item00836.htm

http://www.aor.ca/products/ortho_core.php


I used to take part in LEF's forum. Since their very well-informed
moderator, Tom Matthews, left some years ago, I've switched to
Immortality Instititute's forum. I take part there, mostly in the
supplements section, when I have the time. Here's one of my posts.
Feel free to join in anytime, basic membership is free.

http://www.imminst.org/forum/index.php?act=ST&f=6&t=11696


Lastly, as an example of what an antiaging supplement and drug
protocol can do, this is Lex, the dog of Ronald Klatz, the President
of A4M. You can also read this in his book, "Stopping The Clock".

http://www.worldhealth.net/p/133,1125.html

The single most important item which pushed Lex to that age
(human equivalent of 115) was likely PBN (phenylbutylnitrone),
a spin trapping agent which has been used to extend lifespan in
animal trials. Some life extensionists are also be taking it.

http://www.geronova.com/pbn.htm

Other critical supplements/drugs in Lex's protocol are Deprenyl
(normally given for Parkinson's, but taken by many life extensionists),
DHEA, melatonin, coenzyme Q10 and the aloe vera extract, Acemannan.
Note that they could very likely have pushed Lex past the human
equivalent of 120, had they not decided to put him to sleep after
the leg handicap caused by his stroke before that. While my own
principle would have been to preserve life no matter the odds,
their decision also demonstrates one of the basic motives of life
extension itself - to improve the quality, not just the quantity of life.

I think it's time to stop here, before this security forum turns
into a life extension forum and I get banned by the moderators !