Credential Stealing Trojan Tuesday, Jul 19 2011 

The bank alerted us three weeks ago, they told us there
was a breach of our password and that a payment of
$3,907.39 was sent out of the country.
The bank was watching the use of the rogue IP address
they used to log into our
account - a different one than ours.
The bank suggested we had entered our details into a
false bank web page, they said from their end they could
see that there was a Credential Stealing Trojan at work
- not Identity Theft.
We were told that an outside IT person should run the
latest Nortons over the system here. Steve Thomson came
and installed Norton's System Works 3.0 on Barbara's
machine. The newer update didn't download, the 'virus
definitions' - we had to get a newer version, Norton
Internet Security (for the Mac) 4.1, we ran it, took 2.7
days and - no virus detected.
We have never entered passwords into a false web page.
The bank opened our account again and we set newer
passwords, Friday week. The following Saturday morning
our account was entered on their second password
attempt, (I had used numeral ones and capital I's) and
they got it on the second try. So they had a key logger
in our network here and we had to find it?
Steve was back and installed Norton's 4.1 (a separate
install for every machine), ran that over my G5 and four
external mirrored drives - no virus detected.
The criminals were depositing other monies into our
account and used my machine's IP address to do it!
Then an email from PayPal saying that my account was
'limited', so I changed my
password & questions online with the laptop and rang the
PayPal Sydney operator and had the 'limited' kept in
place as I was suspicious about our changing details and
they may be watching . . .
So I arranged for Steve to come here and be on the
machines while we talked to the eFraud / Westpac IT man
on the phone in Sydney. The only other thing the guy
could think of was that they had gained entry via our
locked wireless network - the Router! So Steve came over
to my machine and opened the Router log and there they
were . . . he quickly did as command A - selected all
the log data and pasted it into an email and sent it to
the sydney IT guy.
Steve then moved over to Barbara's machine and picked up
the phone and opened
the log across the ethernet system and the log was
deleted before his very own eyes. We closed down the
wireless network, unplugged the Modem for 17 hours and
when it turned on it was reset to another IP address.
We then reinstalled newer systems on all four machines,
changed all the passwords (wireless network first) then
the sharing setups.
Now the only way the Router will let any one in is by
the individual Mac address of the computer . . . we are
specifically limited.
Our email accounts were compromised and emails were read
every day, our own email addresses are all the same
still, now that all the server passwords have been
changed so they cannot see anything now.
The July bank statement will show all, the bank lady
says . . . .
So all of our credit cards are changed and on the way to
us, the account is still 'limited', we will now use
'token's' for every payment.
When Barb is back we have to recreate all bank
procedures and passwords, they go and change every other
password we have used at every other entity we deal
Again for Mac users, Keychain holds every password you
use and logs all the use of them, well, locked or not
thats the first thing they'll do is crack that and
you are laid bare. We haven't enabled it, Steve is
dubious of its strength and use in the scheme of things.
So they either sat outside our place and with a Mac
(because the bank has that Mac computer's ID they used),
managed to unlock our locked network. Gained access to
Barb's machine, found the passwords secret file on her
machine and stayed lurking and logging every key action.
They could also have gained access via a new
'Drive-by-Reflector' that would have come from a web
page and installs itself inside a Browser (but not
Safari, he says) . . . we don't actually know how they
gained access. Scary - hey?
Hope that helps . . . passwords should be at least 12
keys long with numerals, upper and lower case, shift
characters and use all different strokes - no words, no
running sequence of numbers like year of birth in 4
Don't become complacent just because the Mac operating
system is "suposedly written correctly", malware is all
over the internet and we are all under attack!

No fooling these web stats either . . . the viewersite blog is really trucking Friday, Apr 2 2010 

The B) shows a dive because we are only 8 days into the month of April 2010.

The A) indicated the two months we are away in Tasmania.

The best day was 2 March 2010 with 392 views, the two best months were July 2009 with 2,416 views and March 2010 with 2,379 views.

The monthly stats for year 2007, the first year of the viewersite blog – here.