Argh :( Just had to cancel my card - clever trickery inside

wasc · 10 Mar 2012 at 17:26

Hi all

Just tried to log onto my barclaycard online banking account. Went to the website and everything seemed normal - Screenshot here

Put my details in, and got through to page 2 of the security form. However it looked different than normal - it should ask for me to choose two letters from my memorable phrase, but instead I got this screen - Second screen

At this point, i grew suspicious, and checked the SSL out - all seemed good. SSL Cert

Did a quick scan of operating memory with my AV, and all came up as clear.

Therefore I did something stupid and continued entering my details. That took me to a third "verified by visa" screen which I stupidly didn't screenshot. This started asking for more details including my ATM Pin. At this point, the alarm bells were definately resonating, so I logged onto the barclaycard website from my laptop and the site worked as normal, so clearly my computer has been compromised somehow.

Have phoned my bank up and canceled my card, and I've also changed my security phrases.

Had they not asked for that extra information, they may have gotten away with it. I pinged the website from both machines and the IP matched, and if I put fake details into page 1, the website correctly told me the details were wrong - i had to put the correct details in page 1 to get to page 2, so I believe the first page of the website was the real barclaycard one, and somehow I was redirected to a fake website in page 2.

Oh well, - just shows how easy it is for you to let your guard down for just a moment.

Deleted member 77746 · 10 Mar 2012 at 17:28

That seems normal to me.

swanseajack · 10 Mar 2012 at 17:31

Your using ie :/

wasc · 10 Mar 2012 at 17:32

mrbell1984 said:
That seems normal to me.

Phoned barclaycard as well.
They confirmed it is not normal.

At least the only info they got was my card no, expiry date and cvv number, so once the card is cancelled, there isn't much they can do. I'm annoyed they have things like my mothers maiden name, but without my address etc I doubt they can make use of it.

It was the "ATM Pin" question that set the alarm bells ringing. i wished i had screenshotted the verified by visa page I was taken to, but it all looked really legit. I bet loads of people will fall for this.

Deleted member 77746 · 10 Mar 2012 at 17:32

swanseajack said:
Your using ie :/

There is nothing wrong with IE.

Strife212 · 10 Mar 2012 at 17:33

Lol, entering your mothers maiden name and CVV to log in to online banking.

wasc · 10 Mar 2012 at 17:36

Strife212 said:
Lol, entering your mothers maiden name and CVV to log in to online banking.

Yep - hindsight is a wonderful thing

I know there will be loads of people who call me stupid e.t.c, and to be fair I deserve it.

You hear these scams all the time, so everyone knows to be careful with your details. What I've not seen before though is how sophisticated these can be, so hopefully these screenshots will be of interest, and show that even if you do perform all the checks like checking the SSL, you can still get done.

I think some people will be interested to see the screenshots of how well this scam/flaw was done.

A "Smart Scan" from my AV picked up nothing as well, but i created a bootable av cd from my laptop and booted my pc from that. it's started picking up trojans, so my PC is infected.

Strife212 · 10 Mar 2012 at 17:37

To be fair the scam is well done, the URL is right.

Marmot · 10 Mar 2012 at 17:38

Strife212 said:
Lol, entering your mothers maiden name and CVV to log in to online banking.

Plenty of intelligent individuals would have fallen for it.

Slyman2k4 · 10 Mar 2012 at 17:39

Out of interest, what was the AV that failed to detect the infections and what was the AV CD that was able to detect them?

Rroff · 10 Mar 2012 at 17:39

Are both the laptop and desktop using the same internet connection? could possibly be a hijacked proxy or something... otherwise its quite a clever and specific rootkit/malware.

wasc · 10 Mar 2012 at 17:44

To answer both those questions

AV for both the failure to detect, and the rescue CD is Nod32.

Both laptop and desktop are using the same internet connection, and proxy settings in I.E were clear, and the IP the url resolved to was the same on both.

Based on the fact that putting in garbage details on page 1 failed, I suspect i was on the real barclaycard website all the time, but the trojan was able to insert different html or something on the second page? I'm not 100% on how they did it, but the first page was real. The second page was where the fake slipped in.

reflux · 10 Mar 2012 at 17:47

Thanks for the heads-up, this seems rather convincing.

Deleted member 77746 · 10 Mar 2012 at 17:50

Just because of that I would format your system and reset your router.

Izi · 10 Mar 2012 at 17:51

mrbell1984 said:
There is nothing wrong with IE.

everything is wrong with IE.

/developer hate

Dave85 · 10 Mar 2012 at 17:52

Thats a pretty impressive effort for some fishing looks like allot of people would fall for that.

Deleted member 77746 · 10 Mar 2012 at 17:53

Should have used a mac

Uther · 10 Mar 2012 at 17:53

The second page would make me run a mile. Pretty convincing though, and I bet it caught some people.

wannabedamned · 10 Mar 2012 at 17:53

That was a really well done scam in fairness. I would have raised an eyebrow at it asking for the mothers maiden name CVV. But not everyone would.

And I'll echo the fact there's nothing wrong with IE.

you've just been unlucky. atleast you cancelled your card right away.

dbmzk1 · 10 Mar 2012 at 17:56

Check your hosts file?