Help!!!

Printable View

June 23rd, 2002, 03:16 AM
reaver000

Sheesh!

The post was too long.

I,ll retype
June 23rd, 2002, 03:21 AM
preep

????????????????????????
June 23rd, 2002, 03:27 AM
Leviatan

come again?
June 23rd, 2002, 03:33 AM
reaver000

Sorry Guys,

It doesn't seem to want to post my post ,I thought there might be a character limit on it .

I guess not, any ideas why it will post this and not my other posts???
June 23rd, 2002, 03:39 AM
reaver000

OK I'll try again.

A couple of days ago My girlfriend received an email from a public spirted hacker that her Credit card details (name, address, etc) had been posted on Hackermail.com by some s**tbag lowlife. Before we had time to react over 5k had been stolen.

Now I really need to know how those MF's did it.

Any ideas??

Here are my system specs.

3 computers on a home network running Win2k with norton personal firewall on all three machines (at the time of the offence only on the ICS host ) ADSL
Norton antivirus 2002 on all three machines ( I now have the cleaner)
The network was using Netbios and TCP/IP, file and printer sharing with each machine on its own static IP address (for some reason I couldn't get it to work by obtaining the IP automatically)
I've now changed to IPX and TCP/IP with file and printer sharing after reading an article on this site (I wish I could get rid of file and printer sharing but its necessary and I still can't get the machines to obtain their IP's automatically).

Norton is/was configured to scan every week and found no viruses, although when I ran the cleaner the other day it found the Kazaa BDE, which Norton missed.

Could that be the cause of the breach?

I've been getting alot of activity from Norton Personal Firewall here's a taste

Date: 6/23/2002 Time: 2:22:25
Rule "Inbound UDP address: 0.0.0.0" blocked (xxx.xxx.xxx.xxx.xxx)Details:
Inbound TCP connection
Local address,service is (xxx.xxx.xxx.xxx.xxx)
Remote address,service is (xxx.xxx.xxx.xxx.xxx)

also this

Date: 6/22/2002 Time: 20:10:51
Inbound UDP packet blocked. Details:
Local address,service is (255.255.255.255,bootps(67))
Remote address,service is (0.0.0.0,bootpc(68))

I guess the one above is traffic on the network because I get it when I'm not online.
but I haven't got a clue what any of this stuff means could someone explain it.

For extra securty I'm looking at a proxy sever, I tried A4 proxy but it slowed surfing down to a crawl. Does anyone know if Anonymiser is any good?

I thought my system was pretty secure up until my partners details were stolen.I really don't know where they got the info from. We use the internet alot for purchases so they could have gotten it from any number of websites.

I had made a few purchases with my card a couple of days before the email and I've had no problems which leads me to believe its not my network that has been breached but a website.

But how likely is that?

Regardless of how it happened I'd like to make my system as secure as possible so any help and advice you guys can give will be greatly appreciated (and any good books you can recommend).

Thanks.

Nick.
June 23rd, 2002, 03:50 AM
khakisrule

Chances are they got it from a site. Or perhaps they stole it from her comp or from her waller in RL. Because I don't understand why your girlfriend's credit card number would even be on her computer, or how hackers would find it.
June 23rd, 2002, 03:54 AM
reaver000

My thoughts too.

Although I had thought about a keylogger, logging her keystrokes as she entered her details onto a website.

Or am I being TOO paranoid?
June 23rd, 2002, 03:56 AM
Leviatan

Could you be more specific, like did you girlfriend purchase stuff online?
e-bay/Amazone etc.
June 23rd, 2002, 04:01 AM
reaver000

Hi

Yes we both use Amazon, ebay, bidpay,paypal the lot .

Our details are floating around all over cyberspace.

We only use secure sites but something has obviously gone wrong somewhere.
June 23rd, 2002, 04:02 AM
khakisrule

Do you guys save your credit card numbers, names etc. to save time when buying something?
June 23rd, 2002, 04:06 AM
reaver000

Onto our harddrives do you mean?

To copy and paste them in?

No. We don't keep sensitive info like that on the system.
June 23rd, 2002, 04:07 AM
Info_Au

I use the Cleaner and just yesterday i had a friend tell me i sent them a trojan!!
They found a trojan called ..VBKEYBOARDHOOK.dll in a game i had sent them yet Norton and The Cleaner had failed to find it!!

Both of these programs are updated automatically...So beware things can still get passed them.Moosoft asked me to email me them the game so i'm waiting to hear back from them.
June 23rd, 2002, 04:18 AM
reaver000

This is what I,m worried about.

What do you guys make of the activity I'm getting on my Firewall. are there any tell tale signs I should look out for that might indicate a trojan?

To be honest though the more I think about it the more I believe it was taken from a website but I just don't want to take any chances.
June 23rd, 2002, 04:27 AM
Info_Au

Quote:

I wish I could get rid of file and printer sharing but its necessary

I would be looking into changing this too...Big hole!!
June 23rd, 2002, 05:00 AM
khakisrule

Yeah, most trojans on startup will try to open up a port, if you load a firewall, it will probably report this activity to you, unless you specifically said yes to the program, it should not be trying to access the internet on startup. So get a firewall, and make sure it loads on startup. Wait a minute and see if any programs pop up asking for permission to access the internet. And if nothing happens, get a port scanner and run it on yourself, and see if you have any open ports.
June 23rd, 2002, 05:12 AM
Palemoon

Well first off if it is a credit card then damages are gonna be $50.00. Second just cause you have an always on connect dosen't mean you have to have a home network on all the time. Third your firewal shows nothing really, the keyboard hook is a remapping of the keys and can mean a back space may boot you out of the game a common lame hook BTW. To remove file and print sharing goto start, system, utilties then the window tab scroll to file print sharing check it hit remove. Again if they are credit cards $50.00 is all your gonna have in damages inform the credit card compay cancel the account have them issue new cards, if Debit card you are SOL.
June 23rd, 2002, 06:52 AM
roswell1329

I'm thinking this guy probably just snagged your CC info from a website or during an online session. There are lots of possibilites of HOW it could have occurred, but keyloggers, and custom trojans don't seem to likely to me. For that, someone would have had to target your girlfriend specifically, and come up with a fairly custom solution for retrieving her CC. On the other hand, there are quite a few websites out there that try to give the appearance of being secure, but really aren't. All that a website has to do for IE or Netscape to display the "lock of security" showing an encrypted site is run the site through a secure server. From there, however, many web-merchants have the information (including CC numbers) emailed to them plain text from the secure server. All one has to do is sniff through the outgoing traffic from a secure server and wait for the magic numbers come rolling in.

Sound far fetched? Not even close. Most web-merchants know absolutely nothing about e-commerce security and rely on their ISP or host to fill in such details. Unfortunately, there are those ISPs and hosting services out there that don't know or don't care enough about e-commerce security to bother investigating the full route.

It would seem to me that this would be the most obvious way anyone could get your CC number and personal data. If it looks like a dog and barks like a dog, it's probably a dog.
June 23rd, 2002, 11:07 AM
reaver000

Thanks for all your replies,

Roswell 1329, thanks, thats the kind of explanantion I was looking for, I was leaning towards the breach comming from a website but I didn't know how to make a case for it.

Thanks for filling me in, Her last transaction before this happened was to a small online pet store I guess it could have been them although I don't want to point the finger.

We'll be more careful in future.

Palemoon. Only $50 ??

Thats alright then, never mind the stress and paranoia that comes from having that kind of sensitive information sent to you by a total stranger.

Never mind the hassle of having to destroy all your credit cards and apply for new ones.

Sheesh If I knew it was only gonna cost me 50 bucks I wouldn't have bothered.

BTW I do know HOW to turn file and printer sharing off and on but unfortunately I need it on to preform certain tasks efficiently. But as you pointed out maybe I shouldn't have it on all the time.

To everyone that replied thanks again. With your help maybe I can avoid this happening to anyone else I know.

Cheers.

Nick.
June 23rd, 2002, 11:37 AM
ZeroOne

One could try to trace these leaks of the web services by giving a bit different information to all of them. For example if you address is "Somestreet 17 B 6", enter it as "Somestreet 17B 6" in one service, "Somestreet 17 b 6" in another and so on. This is nothing that could prevent the payments to go through but when a hacker posts you your address, you can check your (encrypted ;)) file and see where the information was like that.
June 23rd, 2002, 11:49 AM
bucket

HeyReaver000:
Here is a link to an article on credit card fraud:

Fraud Info

The article indicates that the $50.00 limit is the result of federal law.
You, however, live in the United Kingdom.
Are you certain that you are protected by the $50.00 limitation rule?
:confused:
June 24th, 2002, 08:01 AM
reaver000

I'm not sure about the $50 limit but the bank has said they will re-emburse any disputed payments. While the investigation looks into it and honor any payments that are found to be fraudulant.

Lets hope they stick to their word.(I've never been in this situation before so I don't know what the proceedure is.)
June 24th, 2002, 02:19 PM
nebulus200

I tend to agree with most of the other posters here in that the theft of information probably took place from somewhere that you did business. Looking at what you have setup however, I wanted to make a comment. I am assuming that you have some kind of a router that is allowing the three computers on your LAN to share your ADSL connection. My recommendation to you would be to buy a little firewall/dhcp/router/switch combination box. They are cheap (I have seen several online recently for around 50 US dollars) and are, as far as I can tell, very effective. IMHO, if you are waiting until the traffic gets to your box to block it (software firewall), you have waited too long. A layered approach is much better.

Neb
June 24th, 2002, 02:33 PM
Ratman2

Did you have to enter your E-mail address into any of the sites you used?
June 24th, 2002, 03:47 PM
avenger_jcc

As far as how to share your printers and files, install netbeui on all the machines sharing things, and in network neighborhood, properties of file and print sharing for microsoft networks, or something really close to that, find binding, and uncheck TCP/IP, make sure netbeui is checked.
this prevents teh shares from being accessed by the net (TCP/IP)
June 24th, 2002, 08:01 PM
reaver000

Nebulus200, I think you're right I'll get myself a router with a firewall.

Ratman 2, unfortunately yes. I always use a hotmail or yahoo account but I think my girlfriend uses her free ISP's account accessed with outlook express.

The guy that sent the email got her address from somewhere.

Avenger, thanks for the tip I'll check it out.

Cheers.

Nick.