Strange links from my Banking website

Discussion in 'other security issues & news' started by 7hohPAyXMd, Mar 7, 2014.

Thread Status:
Not open for further replies.
  1. 7hohPAyXMd

    7hohPAyXMd Registered Member

    Joined:
    Mar 7, 2014
    Posts:
    11
    Hi all,

    I noticed the following two strange new links in my banking website (Poste italiane: poste.it). Does anyone know what they might be?

    Please see screenshots for more details.
    http://http: //i.imgur.com/ eX4HY8X.jpg
    http://http: //i.imgur.com/ gymDoLv.jpg


    removed link clickability - unknown
     
    Last edited by a moderator: Mar 7, 2014
    7hohPAyXMd, Mar 7, 2014
    #1
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I would say from that, the likelihood is that you have been infected by a bot of some kind, quite possibly one of the recent zbot family of malware that is injecting or attempting to inject false information into the bank website

    Do a full scan with a good antivirus in the first instance and then seek help on one of the malware cleaning sites

    It is possible that you have some sort of malware that attempts to inject adverts into the site & replace any of the sites adverts. If the IP number that you have blanked out is your own IP that is the most logical explanation
     
    dvk01, Mar 7, 2014
    #2
  3. devonnullworth

    devonnullworth Registered Member

    Joined:
    May 17, 2014
    Posts:
    1
    Did this happen to be from a capitalone.com domain? I happened to see a blocked script from 127.0.0.1 plus my public IP in my NoScript listing. This kind of freaked me out, since (of course) it was our credit card site.

    I did some digging, and that appears to come from an 'fp_AA.js' script located at:

    https://login1.capitalone.com/resources/jscript/fp_AA.js

    I de-minified that script, and posted it here:

    http://pastebin.com/P3WiGzDG

    The relevant code calling the image is at line 509:

    ProxyCollector.doAjax = function (k, l) {
    var j = document.location.protocol + "//" + k + ":" + getRandomPort() + "/NonExistentImage" + getRandomPort() + ".gif";

    So, it appears to be some kind of browser fingerprinting/proxy collector JavaScript. Perhaps it's trying to do an nmap-style TCP fingerprint of the response when it sends an HTTP request to a closed port?

    Also interesting is that I'm seeing those UUIDs listed on line 459 mentioned at:

    http://www.browserleaks.com/javascript

    And there's an interesting read from Mozilla about browser fingerprinting at:

    https://wiki.mozilla.org/Fingerprinting

    It doesn't appear to be malware, just plain visitor tracking evilness.
     
    Last edited by a moderator: May 17, 2014
    devonnullworth, May 17, 2014
    #3
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...