FYI - Malware Attack in Forum

[Sloehand]

Reported to HiTech, but thought community should be aware.

Perusing through various threads here in the General Discussion forum, I entered the "interesting history Saburo Sakai" thread by boneyfreak.  

I immediately received a notice from my PC-cillin Privacy Protection software as follows:

xxxxxxxxxxxx
Notification
 
Privacy Protection (Web)
Privacy Protection has prevented confidential information from being sent over the Web. To allow the protected item to be sent to the address below, click Add Exception.
 .
Action taken: Blocked.
.
Address: http://forums.hitechcreations.com/forums/avatar.php?
Item: Credit card number Visa3

xxxxxxxxxxx

I'm guessing here, but could it be that someone's avatar in that thread contains some type of malware, trying to get my credit card info?

Don't know exactly what's going on or who is doing it (if I'm correct about this), but it happens only in that thread and I have tested it repeatedly.

Haven't found it anywhere else and I've been into threads before and after that one.

Just thought everyone should know.

[2bighorn]

It's possible. There were several XSS exploits in vBulletin as there were few with image uploads including avatars...
If the version stated on the bottom is true, this forum should be updated to ver 2.3.11.

[JB88]

i have trend micro and had no message pop up.

not saying that your assumptions are innacurate, only offering a result from the same scanning program.

[2bighorn]

Originally posted by JB88
i have trend micro and had no message pop up.
not saying that your assumptions are innacurate, only offering a result from the same scanning program.

All depends on your system. Not all Browser/OS/SecuritySoftware combos would be affected and not all security software would issue a warning, especially if you added this site to trusted ones in your application.

It is still good idea to check it out.

[JB88]

agreed.

[Sloehand]

Sorry to actually repeat a previous thread, but Skuzzy initially responded and I was afraid might not go back to it and see my additional info.  

I now have more info.

Here's what is going on.  Every time I try to enter the "interesting history Subaru Sakai" thread by 'boneyfreak' in the General Discussion forum I get the notice from my PC-cillin security software.

Notice is as follows:

xxxxxxxxxxxx
Notification
 
Privacy Protection (Web)
Privacy Protection has prevented confidential information from being sent over the Web. To allow the protected item to be sent to the address below, click Add Exception.
 .
Action taken: Blocked.
.
Address: http://forums.hitechcreations.com/forums/avatar.php?
Item: Credit card number Visa3

xxxxxxxxxxx

I tested this several times and it's this thread, and iy happens immediately upon entry.

Am I right that it looks like someone's avatar in that thread has something imbedded causing this, possibly the thread author?

I figure this is very serious, which is why I want to make sure HiTech gets notified.

FYI -- this was NOT a pre-extisiting bit of malware on my machine as I ran all my security scans (and found nothing resident) and as it only (and always) happens when going into this thread.

[Sloehand]

Did you pre-register your personal info with the Privacy Protection module of the Trend software on your machine?  You have to establish the CC#'s, addresses, phone #s, etc. for the software to protect, first.  

Originally posted by JB88
i have trend micro and had no message pop up.

not saying that your assumptions are innacurate, only offering a result from the same scanning program.

[nirvana]

Did you e mail support about this as well Sloehand?  They might get it that way faster.

[JB88]

Originally posted by Sloehand
Did you pre-register your personal info with the Privacy Protection module of the Trend software on your machine?  You have to establish the CC#'s, addresses, phone #s, etc. for the software to protect, first.

negative.  but i see where that is an option.  nice.

[Schatzi]

Originally posted by Sloehand
Did you pre-register your personal info with the Privacy Protection module of the Trend software on your machine?  You have to establish the CC#'s, addresses, phone #s, etc. for the software to protect, first.

OK, maybe im being really dumb here.... but isnt giving the security software the info the only way for your computer to know your CC info in the first place?

(That is unless of course youre doing online banking or other such things).

[zorstorer]

Originally posted by Schatzi
OK, maybe im being really dumb here.... but isnt giving the security software the info the only way for your computer to know your CC info in the first place?

(That is unless of course youre doing online banking or other such things).

LOL thats what I was thinking also Schatzi

[2bighorn]

Originally posted by Schatzi
OK, maybe im being really dumb here.... but isnt giving the security software the info the only way for your computer to know your CC info in the first place?

Majority of the browsers support auto form fill ie they save what you type into fields with common names like name, address etc.
If you purchase things online your cc# number could be saved without you knowing it.
And that's where security software comes in. It compares pre-registered personal info with transmissions. If there's a match it'll block it unless it is user invoked...

[Schatzi]

Originally posted by 2bighorn
Majority of the browsers support auto form fill ie they save what you type into fields with common names like name, address etc.
If you purchase things online your cc# number could be saved without you knowing it.
And that's where security software comes in. It compares pre-registered personal info with transmissions. If there's a match it'll block it unless it is user invoked...

Rgr, thank you Bighorn. Thats pretty much what Schutt told me LoL.

[REP0MAN]

I find it odd that boneyfreak has only one post, no profile infomation, no avtar, etc.

Just an observation

[Sloehand]

OK, folks.  Schutt alerted me to the probable cause of all this and that is my Protection software, or actually, what I put into the software.  Seems that I used the minimum number of digits required (4) of a credit card number to trigger an alert, not realizing that within the thread's normal use of userid's I might get a match and trigger the alery.  This seems to be the case as I have had the same thing happen now at other websites.

Strange in that, I've had the Protection module active for about 3-4 weeks and haven't had a hit till last night and then again today.

Anyway, that seems like the probabl cause and that it is NOT a malware attack by anyone.

Sorry, if anyone got annoyed or unnecessarily concerned.  My motivation was only to protect others from what I thought might be a serious problem.