June 14th, 2008, 03:39 PM
Wouldn't there be https between the computer and Paypal via the router?
Originally Posted by ShagDevil
The router wouldn't be encrypting and decrypting SSL packets? Https is
all tcp/ip whether it's inside the router or outside, and as such would be
encrypted on either side except at the endpoints, which the router is not.
“Everybody is ignorant, only on different subjects.” — Will Rogers
June 14th, 2008, 04:25 PM
Yeah, you're right. For whatever reason, I've been thinking of HTTP this entire time. Even if his WPA passphrase is brute-forced, the HTTPS traffic will still be garbled nonsense.
The object of war is not to die for your country but to make the other bastard die for his - George Patton
June 14th, 2008, 05:37 PM
Having worked as an auditor for a number of years in my early career, all I can say is follow the money. If money is taken out of an account it has to go somewhere, and that is what law enforcement and paypal are for
I will reiterate previous requests for information regarding physical security of the PC and the router. Also, are you sharing a connection over a network or is this a stand alone set up entirely under your physical control.
Sometimes it is beneficial to start with the answer and work back to the question? If I know where the money went, it might give me an idea of who did it, and that could lead me to how?
June 14th, 2008, 07:09 PM
The HTTPS session exists between the computer and the HTTPS server via the router. The HTTPS traffic is simply encapsulated inside the WPA traffic.
June 14th, 2008, 09:49 PM
June 15th, 2008, 07:19 AM
nihil is quite right. You mustn't approach this purely as a hack, it's actual crime. Immediately inform paypal and authorities. A good computer crime division will send expert forensic team to analyze your equipment, as well as follow the money trail.
An extremely common error of hackers is that they will transfer money to their accounts, or purchase somenthing very traceable (passing through customs, or having DHL tracking). I bet that PayPal will also do everything they can to help you in order to keep their good name.
I would appreciate it if you keep us posted on the results
June 15th, 2008, 11:52 PM
Thanks for the replies!
First thing I did was contact PayPal. They are going through their normal process. It should take 10 days and I should get my money back.
At this point I'm just trying to figure out how it happened so it doesn't happen again.
So, I'm the only one that uses this computer besides my girlfriend who checks her gmail. I'm connected to a wireless router with WPA, the router is connected to a cable modem, I'm the only one on the network. No one else knew my PayPal password and I didn't use that same password for another account.
I'm 99% sure I don't have a keylogger, unless it's the most stealthy, unknown one that exists or it deleted itself (which I've never heard of). That pretty much leaves:
- Network sniffing: Unlikely because of WPA and HTTPS
- Phishing: Unlikely
- XSS on Ebay Auction: If this is even possible, doesn't look like it happened
- Bruceforced: Pretty unlikely considering the password
June 16th, 2008, 01:52 AM
Self-deleting keyloggers do exist.
All I can suggest is:
1. Get A-squared, update it and run it in safe mode with all scanning options "on".
2. Get a file recovery tool such as UndeletePLUS and run that. Look for files around the date of the incident.
June 16th, 2008, 05:08 AM
Re: #1. Nothing came up here
Originally Posted by nihil
Re: #2. This didn't show much at all. I had a BSOD today which dumped my ram and probably wiped out a lot of "undeletable" files.
One thing I noticed is that I have 2 emails: One is confirmation that I won the auction (which I did with Buy It Now), the other one is confirming one of the fraudulent transfers (there were more than 1). What's weird is that both have the same exact time (1:19AM). I didn't actually pay until 1:22 though.
How about something like this?
Last edited by fetuz; June 16th, 2008 at 05:31 AM.
June 16th, 2008, 09:43 AM
Yes, XSS or some other drive by would seem the most likely candidate, and I would suspect the page on which you made the "buy now" purchase, or one you visited prior to that. I am guessing that the other one took longer to confirm?
Assuming that the times are correct, or at least from the same source then it can be explained.
It would still require something to be loaded onto your machine, I would have thought?
A possible scenario might be:
1. You log onto e-bay and start looking at stuff.
2. You visit a contaminated page and malware is loaded onto your machine.
3. You decide on a "buy now transaction"
4. You open your pay pal account and authenticate yourself. That gets your pay pal details and password to the fraudster.
5. The fraudster now has to move quickly or there is a good chance that you will spend the money before his transaction goes through. Possibly a bot does that?
I am not sure why the transaction was split, as I don't know enough about the internal workings of paypal. Were they both for the same amount? A common reason is to avoid some sort of internal control threshold, although if the amounts are the same it could be just a badly programmed bot? Were the two fraudulent transactions at the same time?
The main problem with fraud from the criminal's viewpoint is converting the transactions into cash or goods whilst avoiding detection. This is when most of them get caught.
Whatever was on your computer would uninstall itself as it is a potential evidence trail back to the fraudster? It might have loaded itself directly into RAM as I have read of recent malware that can do this.
Last edited by nihil; June 16th, 2008 at 09:47 AM.
By foxyloxley in forum Phishing and Cyber Scams
Last Post: July 19th, 2011, 12:55 PM
By 11001001 in forum Phishing and Cyber Scams
Last Post: July 7th, 2005, 10:30 PM
By MrLinus in forum Phishing and Cyber Scams
Last Post: March 20th, 2005, 03:05 AM
By MrLinus in forum Phishing and Cyber Scams
Last Post: February 28th, 2005, 11:40 AM
By FrameWork in forum Miscellaneous Security Discussions
Last Post: May 23rd, 2003, 02:24 AM