Author Topic: FYI - Malware Attack in Forum  (Read 1088 times)

Offline Sloehand

  • Silver Member
  • ****
  • Posts: 874
FYI - Malware Attack in Forum
« on: January 14, 2007, 08:14:25 PM »
Reported to HiTech, but thought community should be aware.

Perusing through various threads here in the General Discussion forum, I entered the "interesting history Saburo Sakai" thread by boneyfreak.  

I immediately received a notice from my PC-cillin Privacy Protection software as follows:

xxxxxxxxxxxx
Notification
 
Privacy Protection (Web)
Privacy Protection has prevented confidential information from being sent over the Web. To allow the protected item to be sent to the address below, click Add Exception.
 .
Action taken: Blocked.
.
Address: http://forums.hitechcreations.com/forums/avatar.php?
Item: Credit card number Visa3

xxxxxxxxxxx

I'm guessing here, but could it be that someone's avatar in that thread contains some type of malware, trying to get my credit card info?

Don't know exactly what's going on or who is doing it (if I'm correct about this), but it happens only in that thread and I have tested it repeatedly.

Haven't found it anywhere else and I've been into threads before and after that one.

Just thought everyone should know.
Jagdgeschwader 77

"You sleep safe in your beds because rough men stand ready in the night to visit violence on those who would do you harm."  - George Orwell
"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." - Benjamin Franklin

Offline 2bighorn

  • Gold Member
  • *****
  • Posts: 2829
FYI - Malware Attack in Forum
« Reply #1 on: January 14, 2007, 08:34:38 PM »
It's possible. There were several XSS exploits in vBulletin as there were few with image uploads including avatars...
If the version stated on the bottom is true, this forum should be updated to ver 2.3.11.

Offline JB88

  • Plutonium Member
  • *******
  • Posts: 10980
FYI - Malware Attack in Forum
« Reply #2 on: January 14, 2007, 08:36:34 PM »
i have trend micro and had no message pop up.

not saying that your assumptions are innacurate, only offering a result from the same scanning program.
this thread is doomed.
www.augustbach.com  

To strive, to seek, to find, and not to yield. -Ulysses.

word.

Offline 2bighorn

  • Gold Member
  • *****
  • Posts: 2829
FYI - Malware Attack in Forum
« Reply #3 on: January 14, 2007, 08:48:11 PM »
Quote
Originally posted by JB88
i have trend micro and had no message pop up.
not saying that your assumptions are innacurate, only offering a result from the same scanning program.
All depends on your system. Not all Browser/OS/SecuritySoftware combos would be affected and not all security software would issue a warning, especially if you added this site to trusted ones in your application.

It is still good idea to check it out.

Offline JB88

  • Plutonium Member
  • *******
  • Posts: 10980
FYI - Malware Attack in Forum
« Reply #4 on: January 14, 2007, 08:54:01 PM »
agreed.
this thread is doomed.
www.augustbach.com  

To strive, to seek, to find, and not to yield. -Ulysses.

word.

Offline Sloehand

  • Silver Member
  • ****
  • Posts: 874
Malware On Forum
« Reply #5 on: January 14, 2007, 11:21:34 PM »
Sorry to actually repeat a previous thread, but Skuzzy initially responded and I was afraid might not go back to it and see my additional info.  

I now have more info.

Here's what is going on.  Every time I try to enter the "interesting history Subaru Sakai" thread by 'boneyfreak' in the General Discussion forum I get the notice from my PC-cillin security software.

Notice is as follows:

xxxxxxxxxxxx
Notification
 
Privacy Protection (Web)
Privacy Protection has prevented confidential information from being sent over the Web. To allow the protected item to be sent to the address below, click Add Exception.
 .
Action taken: Blocked.
.
Address: http://forums.hitechcreations.com/forums/avatar.php?
Item: Credit card number Visa3

xxxxxxxxxxx

I tested this several times and it's this thread, and iy happens immediately upon entry.

Am I right that it looks like someone's avatar in that thread has something imbedded causing this, possibly the thread author?

I figure this is very serious, which is why I want to make sure HiTech gets notified.

FYI -- this was NOT a pre-extisiting bit of malware on my machine as I ran all my security scans (and found nothing resident) and as it only (and always) happens when going into this thread.
Jagdgeschwader 77

"You sleep safe in your beds because rough men stand ready in the night to visit violence on those who would do you harm."  - George Orwell
"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." - Benjamin Franklin

Offline Sloehand

  • Silver Member
  • ****
  • Posts: 874
FYI - Malware Attack in Forum
« Reply #6 on: January 14, 2007, 11:24:59 PM »
Did you pre-register your personal info with the Privacy Protection module of the Trend software on your machine?  You have to establish the CC#'s, addresses, phone #s, etc. for the software to protect, first.  

Quote
Originally posted by JB88
i have trend micro and had no message pop up.

not saying that your assumptions are innacurate, only offering a result from the same scanning program.
Jagdgeschwader 77

"You sleep safe in your beds because rough men stand ready in the night to visit violence on those who would do you harm."  - George Orwell
"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." - Benjamin Franklin

Offline nirvana

  • Platinum Member
  • ******
  • Posts: 5640
FYI - Malware Attack in Forum
« Reply #7 on: January 15, 2007, 12:04:29 AM »
Did you e mail support about this as well Sloehand?  They might get it that way faster.
Who are you to wave your finger?

Offline JB88

  • Plutonium Member
  • *******
  • Posts: 10980
FYI - Malware Attack in Forum
« Reply #8 on: January 15, 2007, 01:07:33 AM »
Quote
Originally posted by Sloehand
Did you pre-register your personal info with the Privacy Protection module of the Trend software on your machine?  You have to establish the CC#'s, addresses, phone #s, etc. for the software to protect, first.


negative.  but i see where that is an option.  nice.
this thread is doomed.
www.augustbach.com  

To strive, to seek, to find, and not to yield. -Ulysses.

word.

Offline Schatzi

  • Platinum Member
  • ******
  • Posts: 5729
      • http://www.slowcat.de
FYI - Malware Attack in Forum
« Reply #9 on: January 15, 2007, 04:26:39 AM »
Quote
Originally posted by Sloehand
Did you pre-register your personal info with the Privacy Protection module of the Trend software on your machine?  You have to establish the CC#'s, addresses, phone #s, etc. for the software to protect, first.



OK, maybe im being really dumb here.... but isnt giving the security software the info the only way for your computer to know your CC info in the first place?

(That is unless of course youre doing online banking or other such things).
21 is only half the truth.

Offline zorstorer

  • Silver Member
  • ****
  • Posts: 950
FYI - Malware Attack in Forum
« Reply #10 on: January 15, 2007, 12:27:01 PM »
Quote
Originally posted by Schatzi
OK, maybe im being really dumb here.... but isnt giving the security software the info the only way for your computer to know your CC info in the first place?

(That is unless of course youre doing online banking or other such things).


LOL thats what I was thinking also Schatzi ;)

Offline 2bighorn

  • Gold Member
  • *****
  • Posts: 2829
FYI - Malware Attack in Forum
« Reply #11 on: January 15, 2007, 01:00:48 PM »
Quote
Originally posted by Schatzi
OK, maybe im being really dumb here.... but isnt giving the security software the info the only way for your computer to know your CC info in the first place?
Majority of the browsers support auto form fill ie they save what you type into fields with common names like name, address etc.
If you purchase things online your cc# number could be saved without you knowing it.
And that's where security software comes in. It compares pre-registered personal info with transmissions. If there's a match it'll block it unless it is user invoked...

Offline Schatzi

  • Platinum Member
  • ******
  • Posts: 5729
      • http://www.slowcat.de
FYI - Malware Attack in Forum
« Reply #12 on: January 15, 2007, 01:26:52 PM »
Quote
Originally posted by 2bighorn
Majority of the browsers support auto form fill ie they save what you type into fields with common names like name, address etc.
If you purchase things online your cc# number could be saved without you knowing it.
And that's where security software comes in. It compares pre-registered personal info with transmissions. If there's a match it'll block it unless it is user invoked...



Rgr, thank you Bighorn. Thats pretty much what Schutt told me LoL.
21 is only half the truth.

Offline REP0MAN

  • Gold Member
  • *****
  • Posts: 2305
FYI - Malware Attack in Forum
« Reply #13 on: January 15, 2007, 02:02:54 PM »
I find it odd that boneyfreak has only one post, no profile infomation, no avtar, etc.

Just an observation
Apparently, one in five people in the world are Chinese. And there are five people in my family, so it must be one of them. It's either my mum or my dad. Or my older brother, Colin. Or my younger brother, Ho-Chan-Chu. But I think it's Colin. - Tim Vine.

Offline Sloehand

  • Silver Member
  • ****
  • Posts: 874
FYI - Malware Attack in Forum
« Reply #14 on: January 15, 2007, 06:07:55 PM »
OK, folks.  Schutt alerted me to the probable cause of all this and that is my Protection software, or actually, what I put into the software.  Seems that I used the minimum number of digits required (4) of a credit card number to trigger an alert, not realizing that within the thread's normal use of userid's I might get a match and trigger the alery.  This seems to be the case as I have had the same thing happen now at other websites.

Strange in that, I've had the Protection module active for about 3-4 weeks and haven't had a hit till last night and then again today.

Anyway, that seems like the probabl cause and that it is NOT a malware attack by anyone.

Sorry, if anyone got annoyed or unnecessarily concerned.  My motivation was only to protect others from what I thought might be a serious problem.
Jagdgeschwader 77

"You sleep safe in your beds because rough men stand ready in the night to visit violence on those who would do you harm."  - George Orwell
"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." - Benjamin Franklin