• Welcome to Tux Reports: Where Penguins Fly. We hope you find the topics varied, interesting, and worthy of your time. Please become a member and join in the discussions.

Rogue hosts walaying genuine ones

P

P. Jayant

Flightless Bird
I have been using the web-site of the State Bank of India
(www.onlinesbi.com) for over five years to log-in and pay various bills like
those of the electricity company or the DTH Operator. For the last three
months, however, I have had to change over to the Internet Banking service
of another bank where also I have an account, just because the moment I
enter the onlinesbi address and press enter, a rogue service provider with
the address sbionline.co.in opens up and offers to pay my bills for anything
I need from Real Estate and Jewellery to household appliances and gadgets.
It even presents me a page to enter my username and password just the way
the State Bank of India does. If ever I am inattentive and enter those
details I use for the S B I account, the rogue asks me to fill up a detailed
form of information about my ancestry, current style of living etc. This is
obviously, a phishing racket.
But how do I get rid of it and get to the genuine host I want? I tried the
instructions given in a Microsoft guide
http://www.microsoft.com/windows/ie/community/columns/ietopten.mspx which is
meant for the Error message "the web page could not be displayed" but deals
with rogue hosts. But when I checked in the Windows\system32\drivers\hosts
folder, I did not find any rogue host to put a cross at the start or the end
of its name.

Are there any other ways of stopping the rogue hosts? Is there any authority
apart from S B I themselves who could take action on such rogues? How does
one report these violations to them?

P. Jayant
 
V

VanguardLH

Flightless Bird
P. Jayant wrote:

> I have been using the web-site of the State Bank of India
> (www.onlinesbi.com) for over five years to log-in and pay various bills like
> those of the electricity company or the DTH Operator. For the last three
> months, however, I have had to change over to the Internet Banking service
> of another bank where also I have an account, just because the moment I
> enter the onlinesbi address and press enter, a rogue service provider with
> the address sbionline.co.in opens up and offers to pay my bills for anything
> I need from Real Estate and Jewellery to household appliances and gadgets.
> It even presents me a page to enter my username and password just the way
> the State Bank of India does. If ever I am inattentive and enter those
> details I use for the S B I account, the rogue asks me to fill up a detailed
> form of information about my ancestry, current style of living etc. This is
> obviously, a phishing racket.
> But how do I get rid of it and get to the genuine host I want? I tried the
> instructions given in a Microsoft guide
> http://www.microsoft.com/windows/ie/community/columns/ietopten.mspx which is
> meant for the Error message "the web page could not be displayed" but deals
> with rogue hosts. But when I checked in the Windows\system32\drivers\hosts
> folder, I did not find any rogue host to put a cross at the start or the end
> of its name.
>
> Are there any other ways of stopping the rogue hosts? Is there any authority
> apart from S B I themselves who could take action on such rogues? How does
> one report these violations to them?
>
> P. Jayant


Use a shortcut to eliminate the user blunders of entering the wrong URL
at a later time.

If you are using the correct URL but ending up at a different site then
contact your ISP or whomever's DNS server you are using and inform them
that their DNS server may be poisoned. Until then, you could specify
the IP address of the site as the URL in a shortcut instead of using a
hostname that requires a DNS lookup. If your DNS provider continues to
remain poisoned then you'll have to use someone else's, like OpenDNS.

A hostname not listed in the 'hosts' file is not the only means of
getting redirected to a phishing site. You might be infected with
malware.
 
P

P. Jayant

Flightless Bird
Re: Rogue hosts waylaying genuine ones

Sorry I forgot to mention:
1) I am using Windows XP/SP3
2) my browser is Internet explorer 8 and
3) The Phishing filter is ON


P. Jayant
 
P

PA Bear [MS MVP]

Flightless Bird
Re: Rogue hosts waylaying genuine ones

There is a very good chance that you are seeing the effects of a hijackware
infection!

NB: If you had no anti-virus application installed or the subscription had
expired *when the machine first got infected* and/or your subscription has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time with any of the below: Format & reinstall
Windows. A Repair Install will NOT help!

Microsoft PCSafety provides home users (only) with no-charge support in
dealing with malware infections such as viruses, spyware (including unwanted
software), and adware.
https://support.microsoft.com/oas/default.aspx?&prid=7552&st=1

Also available via the Consumer Security Support home page:
https://consumersecuritysupport.microsoft.com/

Otherwise...

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.

2a. WinXP => Run the Windows Live Safety Center's 'Protection' scan (only!)
in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

2b. Vista or Win7=> Run this scan instead:
http://onecare.live.com/site/en-us/center/whatsnew.htm

3. Now run a thorough check for hijackware, including posting requested logs
in an appropriate forum, not here. DO NOT SKIP THIS STEP!!

I can recommend the expert assistance offered in these forums:
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://www.spywarewarrior.com/viewforum.php?f=5,
http://www.dslreports.com/forum/cleanup,
http://www.bluetack.co.uk/forums/index.php, and
http://aumha.net/viewforum.php?f=30


P. Jayant wrote:
> Sorry I forgot to mention:
> 1) I am using Windows XP/SP3
> 2) my browser is Internet explorer 8 and
> 3) The Phishing filter is ON

<paste>
> I have been using the web-site of the State Bank of India
> (www.onlinesbi.com) for over five years to log-in and pay various bills
> like
> those of the electricity company or the DTH Operator. For the last three
> months, however, I have had to change over to the Internet Banking service
> of another bank where also I have an account, just because the moment I
> enter the onlinesbi address and press enter, a rogue service provider with
> the address sbionline.co.in opens up and offers to pay my bills for
> anything
> I need from Real Estate and Jewellery to household appliances and gadgets.

<blithersnippage>
 
B

Bob Lucas

Flightless Bird
This comment is in addition to all of the other replies.

I am concerned that you have probably entered your on-line
banking user name and password on a phishing website. I strongly
recommend you use a different computer (from an Internet cafe,
perhaps) to sign into your on-line banking account. Then, you
MUST change your password immediately. Otherwise, the fraudsters
will have access to all the money in your account.

If you cannot access the account, telephone your bank and ask
them to change your password.

I hope this advice is not too late.


"P. Jayant" <p_jayant@dataone.in> wrote in message
news:-OrtmgzU$KHA.3880@TK2MSFTNGP04.phx.gbl...
> I have been using the web-site of the State Bank of India
> (www.onlinesbi.com) for over five years to log-in and pay
> various bills like those of the electricity company or the DTH
> Operator. For the last three months, however, I have had to
> change over to the Internet Banking service of another bank
> where also I have an account, just because the moment I enter
> the onlinesbi address and press enter, a rogue service provider
> with the address sbionline.co.in opens up and offers to pay my
> bills for anything I need from Real Estate and Jewellery to
> household appliances and gadgets. It even presents me a page to
> enter my username and password just the way the State Bank of
> India does. If ever I am inattentive and enter those details I
> use for the S B I account, the rogue asks me to fill up a
> detailed form of information about my ancestry, current style
> of living etc. This is obviously, a phishing racket.
> But how do I get rid of it and get to the genuine host I want?
> I tried the instructions given in a Microsoft guide
> http://www.microsoft.com/windows/ie/community/columns/ietopten.mspx
> which is meant for the Error message "the web page could not be
> displayed" but deals with rogue hosts. But when I checked in
> the Windows\system32\drivers\hosts folder, I did not find any
> rogue host to put a cross at the start or the end of its name.
>
> Are there any other ways of stopping the rogue hosts? Is there
> any authority apart from S B I themselves who could take action
> on such rogues? How does one report these violations to them?
>
> P. Jayant
>
 
D

Dan

Flightless Bird
"P. Jayant" <p_jayant@dataone.in> wrote in message
news:-OrtmgzU$KHA.3880@TK2MSFTNGP04.phx.gbl...
> I have been using the web-site of the State Bank of India
> (www.onlinesbi.com) for over five years to log-in and pay various bills
> like those of the electricity company or the DTH Operator. For the last
> three months, however, I have had to change over to the Internet Banking
> service of another bank where also I have an account, just because the
> moment I enter the onlinesbi address and press enter, a rogue service
> provider with the address sbionline.co.in opens up and offers to pay my
> bills for anything I need from Real Estate and Jewellery to household
> appliances and gadgets. It even presents me a page to enter my username
> and password just the way the State Bank of India does. If ever I am
> inattentive and enter those details I use for the S B I account, the rogue
> asks me to fill up a detailed form of information about my ancestry,
> current style of living etc. This is obviously, a phishing racket.
> But how do I get rid of it and get to the genuine host I want? I tried the
> instructions given in a Microsoft guide
> http://www.microsoft.com/windows/ie/community/columns/ietopten.mspx which
> is meant for the Error message "the web page could not be displayed" but
> deals with rogue hosts. But when I checked in the
> Windows\system32\drivers\hosts folder, I did not find any rogue host to
> put a cross at the start or the end of its name.
>
> Are there any other ways of stopping the rogue hosts? Is there any
> authority apart from S B I themselves who could take action on such
> rogues? How does one report these violations to them?
>
> P. Jayant
>


It depends on how deeply it's in the system, but you may find that
Malwarebytes Anti-Malware from http://www.malwarebytes.org/ may clear this
out, just try the free version. However, if it's like one of the systems I
had to clear recently that has this embedded right down as a rootkit with
boot sector code then it'll be a tedious job to remove, I'd only recommend
this for someone who is happy to run Combofix and go through all the
required steps (so far I haven't had a single system not get cleaned with
this).

I'd also second Bob's reply - if you've already entered some of the details
including your password get onto your bank and let them know, and get your
password changed (and login name/id if possible) as well as any other
secondary password/PIN that they use to identify you, and if you have no
other PC to use that you know is clean then also ask them to suspend your
online banking while you sort out your PC.

The only sure way to get rid of something like this is a reformat and
reinstall, however I would suggest that if you do this that you maybe use a
low level format utility from the hard disk manufacturer first as otherwise
you risk the malware installer being executed once Windows has been
reinstalled if it's in the boot sector of the disk.

Reporting violations is often a waste of time, especially as sbionline.co.in
is located in Germany and the IP is owned by PlusLine Systemhaus GmbH so
your bank could likely do nothing anyway. With one of the recent infections
I've cleaned up I reported the phishing site to both the bank concerned (in
the UK) and the company in the US who run the datacentre where the rogue
site is hosted, the bank simply said there was nothing they could do and the
hosting company never replied and simply closed the real time chat windows I
used for technical support, and the rogue was still up and running weeks
later and is probably still there.

--
Dan
 
R

Rob

Flightless Bird
Bob Lucas <bob@nospam.com> wrote:
> I am concerned that you have probably entered your on-line
> banking user name and password on a phishing website. I strongly
> recommend you use a different computer (from an Internet cafe,
> perhaps) to sign into your on-line banking account. Then, you
> MUST change your password immediately. Otherwise, the fraudsters
> will have access to all the money in your account.


It must be quite a stupid and insecure bank when they allow access
to all the money in your account with only a username and password...

Which reputable bank would ever allow such an insecure web access??
 
T

Tom Willett

Flightless Bird
:
: It must be quite a stupid and insecure bank when they allow access
: to all the money in your account with only a username and password...
:
: Which reputable bank would ever allow such an insecure web access??

Hear! Hear!

I have to take about 5 steps to log in to mine.
 
B

Bob Lucas

Flightless Bird
Quite right. Unfortunately, I cannot comment upon the adequacy
of the security procedures adopted by Indian banks.

I hope the bank's security procedures will be sufficiently robust
to thwart any attempted fraud. However, don't forget that in his
original posting, the OP stated that the website asked him to
"fill up a detailed form of information about his ancestry,
current style of living etc". It follows that the fraudsters
were probably trying to harvest sufficient information to access
the account.

Even if the OP did not disclose any personal info., I stand by my
previous advice that he should change his password (plus any
secret security questions and answers) without delay. Better
safe than sorry!


"Tom Willett" <tom@youreadaisyifyoudo.com> wrote in message
news:#iCErmc$KHA.5476@TK2MSFTNGP06.phx.gbl...
>
>
> :
> : It must be quite a stupid and insecure bank when they allow
> access
> : to all the money in your account with only a username and
> password...
> :
> : Which reputable bank would ever allow such an insecure web
> access??
>
> Hear! Hear!
>
> I have to take about 5 steps to log in to mine.
>
>
>
 
P

P. Jayant

Flightless Bird
No. I did not enter my Username and password. I only mentioned that the
rogue put up a page identical to that of the bank asking me to enter those
details. I promptly knew it was a phishing attempt.

P. Jayant
 
P

P. Jayant

Flightless Bird
My Anti-Virus software is QuickHeal. I have done the root natural Windows
scan and QuickHeal has cleaned up the system. It is working O K now. Thanks
for all the comments made by various correspondents.

P. Jayant
 
D

Dan

Flightless Bird
"P. Jayant" <p_jayant@dataone.in> wrote in message
news:#sbYIOi$KHA.4652@TK2MSFTNGP06.phx.gbl...
> My Anti-Virus software is QuickHeal. I have done the root natural Windows
> scan and QuickHeal has cleaned up the system. It is working O K now.
> Thanks for all the comments made by various correspondents.
>
> P. Jayant


Given the very poor reviews of Quick Heal I've just been skimming through
I'd suggest you get a decent anti-virus, and also run Malwarebytes that I'd
already suggested.

And if the infection is installed at the boot sector then a root kit scan
won't fit it anyway, as a root kit is something else entirely - some of
these infections go as far as being able to block them being scanned from
within Windows and require a much more low level scan technique to find and
disable them.

--
Dan
 
T

Twayne

Flightless Bird
In news:%23iCErmc$KHA.5476@TK2MSFTNGP06.phx.gbl,
Tom Willett <tom@youreadaisyifyoudo.com> typed:
>> It must be quite a stupid and insecure bank when they
>> allow access to all the money in your account with only a
>> username and password...
>>
>> Which reputable bank would ever allow such an insecure web
>> access??

>
> Hear! Hear!
>
> I have to take about 5 steps to log in to mine.


That's not the point, really; he said he gave out a lot of info previously,
I think and that might be enough for a dozen steps or one, who knows? The
advice to go to call his bank and change his password was excellent, whether
it's necessary or not because its exposure is an unknown. I'd then find
another computer somehow and do a test access to be sure he still had
access.
He should also be able to put a sort of "alert" on his accounts if the
bank offeres it.

Most banks allow online wire transfers; that's one way the money could leave
the bank unbeknownst to him. And until it's straightened out, if he's still
not sure, he should close/reopen other accounts under another name and
password, and reinstall his system from scratch.

There's more, but that's the important stuff; then go on to figure out
what's up with DNS, etc.. The bank should be all over this one for him; if
not, it's time for another bank.

HTH,

Twayne`
 
Top