Paypal hacked for a second time :(

[CaptainRAVE]

Hi all...

A few weeks back my other half had a fraudulent transaction appear on her Paypal account. The money was eventually refunded and she changed her password.

Today it seems to have happened again - for a lesser amount this time and with a different currency.

My first thought is to scan her computer for viruses and spyware (what are the best tools for this?).

Is there anything else that I haven't thought of?

 

[CaptainRAVE]

Currently running a full system scan with Avast and a full scan with windows defender. Looks like it will take a while.

They seem like complex passwords, a mix of letters, numbers, case etc.

Not used on any mobile devices or linked to any website other than ebay.

Might be a good idea to close the account.

Surely there must be something on the laptop for this to have happened?

 

[CaptainRAVE]

This would be solved if you used 2 factor authentication. Just set it up.

I have told her to set it up. I have it setup for this exact reason!

Ok so complex password is good but is it the same she uses on other sites? (Sorry I'm sure she's not thick I'm just making sure).

Check your router settings for port forwarding. Long shot but possible.

Otherwise as said above create a new account and format the computer.

Are the transactions to a company or person? Can you give their name?

She tells me that the password is unique to Paypal.

The transaction appears to be involving a person -
fadi hatherh
Beit jala,shel street44
Bethlehem 00970
Israel

Payment is to Bodybuilding.com for $73.66.

I believe it was a person last time also.

is she using paypal anywhere but on her own computers?
does she logout every time?I think there was a thing with cookies that could be exploited

Interesting, I will delete all of the cookies on her laptop. Not sure if she logs out everytime.

 

[CaptainRAVE]

So the plot thickens.

A few months ago, one of her credit cards received a fraudulent payment, again from abroad. This was picked up by the credit card company and a new card issued.

Again all passwords to every website she could think of were changed (to apparently a complex password, using a number of different passwords).

Then after filing a tax return, she received an email from 'HMRC' offering money, again a fraudulent email that clearly had been tracking her usage.

Then today her email account was blocked due to it being used for spam, I assume by a bot.

I have used malware bytes and avast - both have not picked up anything on her laptop or external drives. I have run boot scans, deleted all cookies and temporary files using ccleaner.

Some of her usage, e.g. to file the tax return used her ipad, so it can't just be her laptop? I have not had any issues at all, so surely our internet connection is secure?

I am very confused!

 

[CaptainRAVE]

Can you explain why you think the HMRC email is anything other than a generic phishing email? These are common, and people are easily fooled.

It might be useful to understand how the passwords are entered into the various systems, as I suspect that a simple keylogger/RAT might be able to capture anything, complex or not.

It could indeed be a coincidence, but the phishing email arrived only a few days after sending the tax return.

The passwords, mostly being entered on the laptop, are being put into internet explorer.

I think it is nearly time to wipe the laptop...although there is nothing to say that the backup external drives are safe either?

 

[CaptainRAVE]

After all these scans you have run it would have been easier and saer to just re-format your computer.

This is true, but there is no guarantee that something isn't present on one of the external backups.

 

[CaptainRAVE]

Sorry, meant backup drives with photos etc.

Would a format be sufficient to remove everything?