Norton Firewall Private Information Alert

On December 17th I started getting "Private Information Alerts" from my Norton Personal Firewall. The Alert indicates "High Risk" and states "Your computer is attempting to send Private Information over the internet". In the details it indicates:

Sending To: "http://oe.bay3.msnmail.hotmail.com/cgi- bin/hmdata/<remove> at msn.com/folders/ACTIVE/MSG11033XXXXX.7" (the X's are the last five digits of one of my credit cards)

Category: Credit Card

Information Blocked: XXXXX (the last five digits from one of my credit cards)

I had my Firewall set on Medium security, so these attempts were always blocked, but only after giving me an alert. I have changed the setting to Advanced security, so at least I am not getting the alerts. However, the attempts are continuing, but are automatically blocked.

These attempts have been occurring at least every 20 minutes and sometimes more often.

I have done scans of all my computer's hard drives with Norton Systemworks and Ad-aware both of which indicate they are clean.

These attempts to send private information are originating from within my computer. Even though I am no longer getting the alerts, the attempts continue to occur according to my Firewall log. Fortunately, my firewall is blocking these ongoing attempts.

Can anyone advise me on how to identify the source and eliminate it?

 

I am surprised that Norton doesn't tell you which program is attempting to connect outbound.. You might double check the logs again.. Not much help I'm afraid though...

 

Try TDS-3 from www.diamondcs.com.au

 

I want to thank everyone who responded to this Post. Only one suggestion provided a solution. Thanks to Ronjor for suggesting Pest Scan. It identified 13 "Pests" all of which could be deleted. All other suggestions produced a clean scan.

Ken Hendrick

 

Can I also suggest you always encrypt your personal data such as card numbers. There are many free progs around to do this.
Gordon

 

klhendrick,

Its looks like this is a false positive. It appears to be a coincidence that the msn.com/folders/ACTIVE/MSG11033XXXXX.7 which may be regular hotmail traffic happened to match the last 5 digits of your credit card. You may want to increase the number of credit card digits configured in norton's private information configuration.

The 13 pests is probably again just another coincidence.

Btw... if you want to find out which app was sending the info, you could look for entries in the NIS connection log going to the same URL as that mentioned in the private information alert.

 

Btw,

Thanks for your feedback. I was about to change the number of digits in my privacy settings as suggested, but as I am sure you intended, it would then let the messages out. These attempts are still occurring. I'm not ready to do that. I don't think the last five digits matching one of my credit cards is a coincidence. These attempts began at the same time that I received what appears to be a bogus email from Barnesandnoble.com. This email was received on December 17th. When I opened it, it read "Message could not be displayed". About that same time is when I started getting the "Private Information Alerts". If I delete the email, it ALWAYS reappears as an unread email with the same date of origin whenever I go back into my Inbox. I think there is a connection between the two, but I haven't been able to figure it out. I have sent all of the available information on both issues to "Abuse@MSN.com" and I believe they are researching it. At least they came back and asked for more information.

If this gets figured out, I will post what I learned on this thread.

Ken Hendrick

 

The main problem with "private information" monitoring is that it cannot work if private information is sent out in encrypted form (a number of trojans encrypt their data and https connections can be used in a similar fashion - see The Dangers of HTTPS for more details). As such it can give a false sense of security compared to a layered defence including firewall, webfiltering, antivirus/antitrojan scanners and process monitoring software.

 

Ronjor and Paranoid 2K,

Thanks for the additional information. Getting a replacement credit card number is so simple and obvious, I completely overlooked it. Thanks for looking over my shoulder. Proxomitron looks like a must part of a secure computer.

Ken