Username/Password stolen

A couple of days ago I was locked out of a secure website and then received an email from them saying the account had been frozen due to multiple logins.

My question is - how could my details have been stolen?

I am behind a hardware NAT Firewall/Router and also run LooknStop firewall, NOD32, Adaware, Spybot, TojanHunter & ProcessGuard - all with latest updates.

With this setup I though I was pretty secure - I just wonder how my username/password could have got into the wrong hands - any ideas/comments from people here?

 

Hi Simon, There are many ways that this can happen but first I would contact the website for more details of the said problem.

Malicious scripting is also a possibility, you do not appear to have a scripting ptotection programme such as Benign (B9) or WormGuard.

Passwords can be easily guessed unless they are strong incorporating letters numbers and other characters, such as "thomps0ns>1234<yell0w[*]pages" It is relatively easy for a cracker to get simple passwords using readily available tools.

Have you been asked by the site to forward your details to their site for any reason? This is a well known scam as the crackers use a spoof websites or convincing emails.

Have you downloaded any programmes or files from file sharing sites, are you sure they were safe?

Does anyone else have access to your PC that could have placed a malicious programme on it?

Process Guard will stop keyloggers but only if your PC was clean before install.

If you are compromised then change ALL your PC passwords and passwords used for other things that are stored on your PC as they are all likely to be at risk for use by the cracker.

I am sure I have missed many things but others will jump in no doubt.

Pilli

 

Hi Pilli,

Thanks for taking the time to respond - hope you don't mind me addressing each of your points in turn, as I try to get to the bottom of this.

Malicious scripting is also a possibility, you do not appear to have a scripting ptotection programme such as Benign (B9) or WormGuard.
I will have to look into Wormguard - I thought, perhaps naively that NOD32/TrojanHunter would catch any worms. I will have to look into the benfits of running WormGuard

Passwords can be easily guessed unless they are strong incorporating letters numbers and other characters, such as "thomps0ns>1234<yell0w[*]pages" It is relatively easy for a cracker to get simple passwords using readily available tools.
If a password is only ever entered on a web form then they can only be brute force trying details into the same site and my password was strong, which makes me believe that it was grabbed as opposed to guessed.

Have you been asked by the site to forward your details to their site for any reason? This is a well known scam as the crackers use a spoof websites or convincing emails.
I would never respond to an email asking for user details or sending me off to 'fake' url. Had a few recent emails purporting to be from eBay recently as well

Have you downloaded any programmes or files from file sharing sites, are you sure they were safe?
Yes, a few. But, on the assumption that if they tried to 'phone home' my combination of LooknStop spotting new web connections and ProcessGuard spotting injections/hooks etc that I was pretty safe

Does anyone else have access to your PC that could have placed a malicious programme on it?
Nope - only me !

Process Guard will stop keyloggers but only if your PC was clean before install.
ProcessGuard was installed early into a clean build, but I guess it is difficult to say whether a machine is 'clean'? I only allow a few processes to get through the firewall anyway. I presume keyloggers would have to access the net themselves to send back their details? (PG aside - I think it's strange that even after learning mode has been turned off some programs that run at boot up show up as allowed to run in the PG log screen that have not been authorised by me)

If you are compromised then change ALL your PC passwords and passwords used for other things that are stored on your PC as they are all likely to be at risk for use by the cracker.
Agreed - but I'm paranoid now that if something IS watching/listening then any online changes I make will also instantly be grabbed...

I wonder if the site wasn't encrypting how likely is it that the plaintext data could have been examined as it travelled across the net?

Thanks
Simon

 

It appears you are no newbie

Was it an Https connection ? As normal Http is not secure.

You will need to communicate with the website administrator to find out more about your multiple login problem - were they from a different IP addresses ie. not yours? Or had your PC been trying to login without your knowledge i.e. some sort of schedule? Without more information about the site we cannot help you with that

Process Guard will have picked up many system .exe's during learning mode, that is why you were not asked. I am pretty sure every thing after that would have required you to allow etc.
And yes, PG would have stopped .dll injection from a keylogger.

 

One last possibility, it was a site error, or the site was broken in itself.

 

Yes, just a normal Http connection, so that could be the cause.

The web administrator sent me a jpg of the failed logins - which do indeed come from many and varied ip addresses.

Process Guard will have picked up many system .exe's during learning mode, that is why you were not asked. I am pretty sure every thing after that would have required you to allow etc.
And yes, PG would have stopped .dll injection from a keylogger.
I wonder why some are missing from the checksum page then. My Belkin UPS runs a program wonderfully titled 'hello.exe' at startup and this is not in the checksum list, but the log screen says that it was allowed to run.... (perhaps this particular question should be in the ProcessGuard forum !)

Do you know if keyloggers normaly inject or run as hidden processes that connect directly?

My main concern now is whether I should start afresh before changing passwords etc. as there is clearly no definitive test I can perform to prove everything is OK. (BTW also ran HiJackThis which checked out OK)

 

Regarding keyloggers I'm afraid I do not have enough knowledge to answer your question, I believe they can be very specialised.

Before doing anything drastic also run AutoStart Viewer from here: http://www.diamondcs.com.au/index.php?page=asviewer and post the findings here: Select all three options in AS viewer then save the text, copy and paste in your next post.

Failed logins presume that they were not correct, seems a bit mysterious to me. You could ask the site if they have had many of these types of problems as it could be their system not yours that is giving out false or corrupt information, especially as they are not using https.

Pilli

 

Just to be sure, if you are in Windows XP/W2K, can you run netstat -ao? Does your firewall software list any outgoing IP addresses? If so, then you can observe if there are any suspicious IP activities. Try this experiment:

1) Logon to your web site (the one that your logon details has been stolen).
2) Besides the IP address of the web site listed in your firewall program, are there any other strange iP address listed as well?


On your password issue, check out ipGuardian v1.7 which comes with a more secure logon process. You do not need to type in your username/password once your have set it up.

Good Luck

P/S if your firewall program does not list the IP address, try this cheapie utility,
http://www.soft-trek.com.au/prjIpTicker.asp (catch: it only works with XP/W2K).

 

SimonW,

One observation - if your password had been stolen, then there would have been no need for an attacker to make multiple logins! It sounds as if, instead, someone is trying a brute force attack on your account name (and it is possible that this information was leaked from the site itself, some have been shocking careless about account security in the past).

From your setup, I would say that you should be secure against most malware (as long as you are alert to any changes reported on your system) but I would suggest a web filter like Proxomitron to remove active content (Java, Javascript, ActiveX) from sites you do not trust and (if you are not already) using an alternative browser to Internet Explorer.

 

Paranoid2000:
The username / password had been used successfully by different IP addresses hence the lock. It was the multiple IP logging that caused the admin to lock the account. I don't know how many password based sites actively do this kind of checking though.

I had been running IE but I'm now looking at Firefox / Opera as alternative browsers just to be on the safe side...


sekuritas:
Thanks for the app suggestions. ipGuardian looks interesting but it might be that Firefox or Opera have this kind of functionality as addins (early days with them both so not sure yet). Looks like a Pentium 4 performance enhanced build of Firefox here ( http://www.mgillespie.plus.com/Mozilla/Firefox.htm ) is pretty good too.


Pilli:
Ran Autostart Viewer but nothing unexpected was listed so not really worth posting. Just as a passing thought I'm wondering whether I'd be better buying TDS rather than using TrojanHunter though as the trial version looks most impressive....

 

Thanks for the clarification. Sites that expect "account sharing" are the most likely to track IP address usage - especially where it affects their income. Since you have said the login page was non-encrypted (very unusual nowadays!), this does leave the possibility of packet interception (which could be by a packet-sniffing trojan on a PC anywhere on the route between you and the site). Using an anonymizing proxy like JAP which encrypts the traffic between your PC and a proxy server can provide some protection against this (preventing packet sniffers at your end, but not theirs). However, I would be tempted to suggest using another site.