Clandestine Keylogging Can Be Major Problem

[brahmburgers]

I just went through 2 weeks of hel_l in cyberville. I think I'm clear now, but won't be certain for a couple weeks.

A young Brit somehow got a keylogger program on my computer, and proceeded to cause as much havoc as possible.

Here's some of the damage:

>>>my Email account was accessed (though the keylogger only sent out one email that I know of). However the main damage of him having access to my email account (at gmail) was he was privy to all my correspondence - while I was trying to fix the damage, etc.

>>> Amazon.com I had made one solitary order a week before the problem started. Perhaps the keylogger was phishing at the Amazon site, and that enabled him to gain access.

>>>> from there, he accessed my PayPal account. I had a bit over $300 in there. In one day of repeated transfers, the keylogger was able to transfer pounds sterling to his account - which left me with about $80 by the time Paypal and I found there was a breach. I made a formal complaint withing Paypal - did it twice to make sure it stuck. After 3 agonizing days, the money was refunded to me, but get this, For two days, my account was over $800, which I thought was a penalty for the English thief (in some US states, if a check is found to be bad, the merchant [receiver of the bounced check] can legally get triple the amount in retaliation). But days later, my account was back to where it was before the problem, so it was because I complained twice that double the amount (of the rip off) was refunded to me, but then the over-compensation was taken away.

>>> Several times each day, I changed passwords to all my accounts. I then went to public internet places to do the same, because I didn't trust my home computer. The problems persisted.

>>> The thief erased all the files in my 4 domains (twice!) and replaced the index pages with one of his own - featuring juvenile post-punk drivel.

>>> The punk also tried using my 2 credit cards, which were on one or two sites. He could only use the c.cards to purchase stuff within those sites. He didn't have the numbers, but he had access to the sites using my name and passwords. He didn't get much. Both my c.cards are mothballed now, but that's ok, because I rarely ever use plastic.

I have some theories on how it happened:

>>> I got ripped off online several months prior (another Brit, based in Chelsea), so maybe I got put on some sort of 'dummies' list.

>>>> I changed passwords every week or so, but unwittingly re-used an old password that I hadn't used for months.

>>>> I let a young Thai friend go online with my computer. Also let some backpackers do the same. Ok, that was dumb. I won't do that every again.

>>>> Kownloaded a program to look for keyloggers. It seemed to work rather well. Found one file in MSFT Word (a pirated version) which had two files with identical logos and nearly identical names. One was legit, the other was a keylogger. Deleted it.

>>>> Had my computer completely reformatted. Didn't solve the problem - probably because of the FTP file (mentioned below) or because somewhere in my 'saved' files (backup) was the keylogging program.

>>>> There was a small file within my main domain. I could see its name (.membership), but couldn't transfer it (to look at its content) or delete it on my own. I finally got my domain help person to delete it.

In sum, I think it was that .membership file on my ISP (for domains) that was a contributing (or the main) factor - possibly plus that one order I made on Amazon, using Paypal.

I actually have the name and 3 email addresses for the persistent thief, but I won't email him, because it would probably just egg him on to more mischief. If anyone wants his name and email addresses, just contact me, I'll be glad to hand them out. I found that info via PayPal, because the person requesting funds has to have an account and email.

As I say, things have been ok for the past 3 days, but I won't rest easy on this security breach until several weeks have passed. And yes, I have a new anti-virus / firewall, and a couple keylogger detection programs installed.

P.s. the earlier rip off was very likely a keylogger program at a public internet place in Chiang Mai. Just prior to the earlier rip off, I had briefly visited two internet places downtown. Right after that, had trouble with my accounts.

[puyaidon]

It is too bad that you got nicked with the keylogger. I know for myself, your story is going to make me a lot more diligent in monitoring my computer for this problem. I normally check my vital web sites about four times per week.

I found two charges made in Canada a few years ago which got resolved in two or three days. One other charge got the credit card complany suspicious and they shut down my account until I called them. Seems someone used my number for a $5,000 charge on my account which they deemed rather unreal. I never saw the bill but it happened in California.

I went through hel_l with another charge from somewhere in the tune of $18,000. It came out as a result of monitoring a credit report from the states. I proved that I was here in Thailand and could not have charged that amount in California. It had gone to a collection agency so they did not know any background until I refused to pay.

I use KeyScrambler. Anyone had a problem with it so far? It turns on when IE is opened. Now it can be used for Firefox and others if you pay.

Hope it does not happen to you again. I know the frustration.

[T_Dog]

Keylogger software seem to be everywhere these days. Two friends got their GMAIL accounts hacked after using internet cafes here in CM. Not as bad a situation as yours but still inconvenient. I always change my passwords after getting back from traveling which I hope helps. Using credit cards from internet cafes must be especially dicey.

[sarahsbloke]

>>>> I let a young Thai friend go online with my computer. Also let some backpackers do the same. Ok, that was dumb. I won't do that every again.

In my opinion the keylogger was deliberately added by one of these users.

Nothing like personal access to a PC to sneak one on.

Very unlikely to be done over the internet by visiting sites.

You might have put it on yourself (trojan), but I still think backpacker or 'friend'.

[Supernova]

I use Neo's SafeKeys v3 (freeware).

A must-have portable app for those who frequently access public computers.

[craigt3365]

WOW! Unreal. I had my email account jacked several years ago when I was in the PI. I now have 2 email accounts. One for my banking and important stuff and another for just emails with friends and non-important stuff. I travel around the world frequently and try to never access the critical one if I can avoid it while traveling.

Now, I travel with a netbook to avoid using internet cafes at all...and it is working out pretty good...but you can still get jacked if somebody has access to the wifi signal.

I visited a website last year regarding living in Hua Hin. It was done by some young guy...and I got hit bad. Took me 3 days to recover and had to reload everything. I was using BitDefender and even that didn't help.

Thanks for sharing and hope everything gets sorted out.

[siamect]

Thanks for sharing these fact with us...

I usually tell people about the importance "privacy", and I very often get something like... "but I don't care if anyone look in my computer..." back...

Martin

[elshaheen]

What part of Bangkok did you using an internet cafe?

Out in the eastern part of Bangkok, with a high Muslim population. Most all internet cafes out there have keyloggers installed on their computers. Just check your task bar for suspious items, because usually that is where the keylogger is installed at.

[astral]

I wonder how a keylogger helped the offender.

My bank only asks for random characters from my id and password.................

[siamect]

I wonder how a keylogger helped the offender.

My bank only asks for random characters from my id and password.................

Paypal...

[p_brownstone]

What part of Bangkok did you using an internet cafe?

Out in the eastern part of Bangkok, with a high Muslim population. Most all internet cafes out there have keyloggers installed on their computers. Just check your task bar for suspious items, because usually that is where the keylogger is installed at.

Most effective Keyloggers - even many free ones - will not show in the Taskbar at all; even hitting >control>alt>del to bring up Task Manager will not show the application as "running".

Patrick

[floridaguy]

This is a very scary example of "what can happen." You know, your mother tells you to wear clean underwear, and wearing your seat belt or helmet, looking both ways when you cross the street. You never think these things will ever happen to you until it actually does happen. I am sure all of us are checking and scanning and buttoning things up as we read this.

Thankfully all was well, and they took you for relatively minor amounts.

[halfhead]

It helps to have a proper legit operating system in place before you start worrying about other areas to tighten up on.

Install some anti-virus software and and keep it updated,scan often and scan any usb drives that you connect.

Install some Anti-Malware and do the same(Malwarebytes Anti-Malware)

[brahmburgers]

Update: six days now, with no suspicious activity, though I did get one email from 'billing' at my ISP telling me a request for a new domain was turned down because my credit card didn't go through. I know my credit card is disfunctional right now, but that's because I chose to mothball it. I rarely use it, so I'm in no hurry to get it functioning again - particularly if there's the slightest chance of being ripped off. I think I'm in the clear with this problem behind me.

Whew, besides the worries and being ripped off, it takes A HECK OF A LOT OF TIME TO TRY AND STRAIGHTEN THINGS OUT.

The word virus is totally applicable. When you get a bad cold, it might take weeks to completely shake it off.

I've got books to edit, web sites to update. I'm currently endeavoring to develop two large outdoor tourist venues, along with a crew of workers I oversee (I'm da boss) - so it's doubly frustrating to have to get fixated on computer hassles.

If nothing else, I hope these posts (by me and others) compel readers to take utmost precautions.

On a closing note: I would recommend very harsh retribution for any keyloggers who are caught causing trouble. five to ten years in jail would not be excessive. It's like having a an invisible thief who's roaming your house for weeks, ripping things off at will.

[craigt3365]

I was just watching CNN. I guess some guy hacked into Sarah Palin's email account while she was running for VP. He just got sentenced to 1 year in jail. Maybe the guy who hijacked your accounts runs into the same fate? We can only wish....glad to hear all is well now.

[sbk]

Surely paypal would go after this guy for fraud?

[JAS21]

I use 'Rapport', a free program from the Royal Bank of Scotland, maybe worth a look.

[manarak]

I'm an internet professional, here are some pieces of advice:

- update your operating system as soon as a new update is available.

- letting other people use your computer:

never let them use the computer with the same user account as you.

create a "guest" account with no privileges. they can surf the net with that, and in most situations won't be able to install a keylogger.

- mail: use a local mail client like Outlook or Thunderbird, and use accounts which support SSL encryption.

Storing your mails online is a risk, anyone with your password can see all your past messages.

If the messages are downloaded to your local client and deleted from the server, the risk is limited.

But you have to backup your data to avoid loss (for example incase of a defective HDD).

- passwords: use different usernames and different passwords on websites and mail accounts.

A frightening 15% of forum users use the same password for their forum account as for their email account.

Any forum admin can get access to 15% of his users' mail accounts!

- do not rely on "password tools" to store your passwords.

Firstly, these tools are software, and any software can be broken into.

Secondly, being "password storage" tools, they are prime targets for criminals.

If you really need to store your passwords in a file, use a simple text editor like notepad, textpad, etc. and write your accounts and passwords in there.

Then zip or rar the file and set a password, and store the zipped file on a USB stick.

Additional security can be achieved by zipping the file a second time with another password.

Don't forget to delete the unzipped version!

- protection: you need 3 levels of protection: antivirus, behavioral protection and firewall.

I use 3 free security programs: avast, threatfire and zonealarm

Avast is a classical antivirus and will also scan your emails.

Threatfire is very useful and checks if some programs behave "abnormally", i.e. if they make copies of themselves or if they access areas of the system they shouldn't access.

Zone alarm will alert you of every attempt made by a program to access the internet. This would for example give away the keylogger.

- internet cafés: I avoid them completely.

Use the internet café only for surfing the net and avoid logging in anywhere. This sounds a bit unreal if you want to check your mail or write in forums, but internet cafés are just too unsafe.

You can purchase a mobile internet SIM card with unlimited usage for 600 baht a month. It is a bit slow, but it is fast enough for email and internet browsing.

If you have to use an internet café, try to use your own computer with their wireless network.

Caution, the wireless network might be tapped too, but there is less risk if you use mail services that are SSL encrypted.

Edited November 14, 2010 by manarak

[craigt3365]

I'm an internet professional, here are some pieces of advice:

Wow...great stuff. I have a question then. If you don't mind?

I use 2 email accounts. One is just email with friends and forums. No biz, no banks, nothing important. My other is for all the important stuff and I never check that at internet cafes. Neither email address is in the other's address book. Is this a good way to protect myself or not? I appreciate your thoughts...

[chiang mai]

Manarak has given some sound advice, I do similar but use different products, Armour Guard for my software firewall, Avira for virus protection and an assortment of other lesser tools to prevent installation of malware - Spybot continues to be a good product for after the fact findings and it's worthwhile switching antivirus/firewall products periodically based on market assessment of their usefulness. I'm not keen on having two antivirus tools running at the same time since that can be problematic and Threatfire whilst being very good, is anti-virus software plus, each to their own however.

Risk/threat avoidance however is mostly behaviour and common sense based and Manarak's advice in this area is very sound, never disclose passwords to sensitive systems in internet cafe's, have multiple accounts, one for home base and one for use when travelling, update all software on the home system in as near to real time as possible - product suppliers will know and issue fixes to the software you have purchased long before you and I hear about them so you'd be silly not to install them.

[monkfish]

Yep Key-loggers are a huge problem these days.

A good idea is to use windows virtual keyboard for entering important passwords or CC numbers etc.

programs>accessories>accessibility>on-screen Keyboard

Want to find out just who is connected with your computer use cmd and netstat -a or -n and -b for the application list.

[brahmburgers]

Surely paypal would go after this guy for fraud?

One would hope so, but I don't know. Paypal is not an enforcement agency. Perhaps they report the incidents (and his info) to relevant authorities, as PayPal has his name and some of his personal details - in order for him to have opened an account with them (somewhere to transfer payments to). Through him breaching my Paypal account, I was able to get his name (Justin Wilkins) and three emails he uses. I was hoping Paypal would do what US merchants are legally allowed to do to any clients which bounce a check written to them: get two or three times the amount of the bounced check paid to them (it depends on which US state the infraction occurred). ....but that's probably wishful thinking at this stage.

[manarak]

I'm not keen on having two antivirus tools running at the same time since that can be problematic and Threatfire whilst being very good, is anti-virus software plus

Threatfire is compatible with Avast, no conflicts.

A good idea is to use windows virtual keyboard for entering important passwords or CC numbers etc.

yes, this is a good way to fool basic keyloggers if:

- the windows virtual keyboard function itself has not been tampered with in the internet café

- there is not a second point of attack on the router. On non-encrypted client/server connections, the packets are sent unencrypted, this includes email accounts, forums, etc. While most banking sites and paypal, etc. use SSL-enrcyption, everything else is sent unencrypted over the router, and the router is controlled by the internet café. It is very easy to copy the traffic and to get the passwords.

They just need to modify the router's software, and it is not difficult.

The problem in internet cafés is really that you don't know if you can believe what you see on the screen. The OS is under someone else's control, and this person isn't necessarily the shopowner.

I really really prefer to use my own computer.

A netbook is not expensive. Spend 350 USD and get one with about 9 hours of battery time.

You will be much safer that way.

If the computer would contain any personal data, put a password.

If the computer contains critical data, encrypt the harddisk with truecrypt.

I use 2 email accounts. One is just email with friends and forums. No biz, no banks, nothing important. My other is for all the important stuff and I never check that at internet cafes. Neither email address is in the other's address book. Is this a good way to protect myself or not? I appreciate your thoughts...

yes and no...

That way to protect yourself is effective as long as you don't login to your "serious" account or bank accounts on the same computer as the one you use for the other stuff (ThaiVisa?).

So, don't login to anything serious in an internet café, and you are safe. OK.

But if you can't login to your bank account and can't check your business emails while on vacation, the criminals win, right?

But setting up an account dedicated to forum inscriptions and other non-serious stuff (mail address given to bargirls?) is certainly a good thing.

Some services are pretty safe to use, even in internet cafés:

* For example, the login to my bank's SSL-encrypted systems needs user/password PLUS a random number that is generated by a piece of hardware I carry with me, plus a second random number to initiate a transaction.

It is not 100% secure, but the attack would have to be pretty sophisticated to succeed. We are talking of attack levels like used by intelligence agencies - I doubt this will ever be a risk for my bank account.

* SSL-encrypted mail accounts.

change your password weekly, this should be enough.

[Puccini]

brahmburgers, I believe you have not mentioned so far that you have run a program to detect and eliminate spyware and malware. Spybot (freeware) is one program that comes to mind; other members may have suggestions for even better programs. Another program I run periodically is RegistryFix. Some malware fiddles with the registry entries and hopefully RegistryFix cleans this up. This one is not free, I believe, but costs little.

[BaaNahmLai]

I'm an internet professional, here are some pieces of advice:

- update your operating system as soon as a new update is available.

- letting other people use your computer:

never let them use the computer with the same user account as you.

create a "guest" account with no privileges. they can surf the net with that, and in most situations won't be able to install a keylogger.

- mail: use a local mail client like Outlook or Thunderbird, and use accounts which support SSL encryption.

Storing your mails online is a risk, anyone with your password can see all your past messages.

If the messages are downloaded to your local client and deleted from the server, the risk is limited.

But you have to backup your data to avoid loss (for example incase of a defective HDD).

- passwords: use different usernames and different passwords on websites and mail accounts.

A frightening 15% of forum users use the same password for their forum account as for their email account.

Any forum admin can get access to 15% of his users' mail accounts!

- do not rely on "password tools" to store your passwords.

Firstly, these tools are software, and any software can be broken into.

Secondly, being "password storage" tools, they are prime targets for criminals.

If you really need to store your passwords in a file, use a simple text editor like notepad, textpad, etc. and write your accounts and passwords in there.

Then zip or rar the file and set a password, and store the zipped file on a USB stick.

Additional security can be achieved by zipping the file a second time with another password.

Don't forget to delete the unzipped version!

- protection: you need 3 levels of protection: antivirus, behavioral protection and firewall.

I use 3 free security programs: avast, threatfire and zonealarm

Avast is a classical antivirus and will also scan your emails.

Threatfire is very useful and checks if some programs behave "abnormally", i.e. if they make copies of themselves or if they access areas of the system they shouldn't access.

Zone alarm will alert you of every attempt made by a program to access the internet. This would for example give away the keylogger.

- internet cafés: I avoid them completely.

Use the internet café only for surfing the net and avoid logging in anywhere. This sounds a bit unreal if you want to check your mail or write in forums, but internet cafés are just too unsafe.

You can purchase a mobile internet SIM card with unlimited usage for 600 baht a month. It is a bit slow, but it is fast enough for email and internet browsing.

If you have to use an internet café, try to use your own computer with their wireless network.

Caution, the wireless network might be tapped too, but there is less risk if you use mail services that are SSL encrypted.

On March 15th, Symantec made the decision to lay off approximately 1,000 people company-wide. The PC Tools office in Boulder, which was responsible for the development of ThreatFire, was closed. The majority of staff in the office were immediately let go, and the development of ThreatFire was transferred to a very small group in Sydney, Australia. This is why djames, ebennett, and others no longer post here.

At the time, there were serious doubts that ThreatFire would continue to be developed, as the group assigned to pick up the software was 1/6 the size of the group in Boulder. The fact that there has not been an update to the program probably answers that question.

Many of the staff from the Boulder office found their way to a competitor based in Boulder. PC Tools' loss is their gain.

Sourced from PCtools Forum

[huma79]

Yep Key-loggers are a huge problem these days.

A good idea is to use windows virtual keyboard for entering important passwords or CC numbers etc.

programs>accessories>accessibility>on-screen Keyboard

Want to find out just who is connected with your computer use cmd and netstat -a or -n and -b for the application list.

I just wanted to stop this minor piece of misinformation before others try it! Using the windows virtual keyboard does NOT protect you from many keyloggers!! AFAIK, most virtual keyboard software simply connects to the standard OS API functions for input, and from the software keylogging perspective it is no different than when you are physically typing on a keyboard. One thing it DOES protect you from is hardware keyloggers, but I doubt these are used as much.

[huma79]

- do not rely on "password tools" to store your passwords.

Firstly, these tools are software, and any software can be broken into.

Secondly, being "password storage" tools, they are prime targets for criminals.

If you really need to store your passwords in a file, use a simple text editor like notepad, textpad, etc. and write your accounts and passwords in there.

Then zip or rar the file and set a password, and store the zipped file on a USB stick.

Additional security can be achieved by zipping the file a second time with another password.

Don't forget to delete the unzipped version!

For the most part, everything you posted is good advice, but I disagree with this password protection technique..

Password protected zip files are an easy target for brute force or rainbow table attacks. Also, if you're on a computer comprimised with a keylogger, this method won't work at all since your password will be in plaintext as you copy and paste it into the password field.

If you do use this technique, make sure you follow some additional guidelines:

-Never use it on a computer that you don't know is secure

-Use a zip/compression program that supports higher encryption such as AES-256, and make sure you use it

-Set your zip password to at least 12 characters, and use a mix of letters, numbers, and symbols

-Name it something that doesn't draw attention. AllMyBankPasswords.zip isn't a good idea.

[chiang mai]

I just got my monthly report from Trusteer, the software supplied by HSBC UK to help protect against hijacking et al, it works on a number of bank related sites. Normally the dashboard shows limited numbers of events but this morning there's an interesting one out there: it seems that on 10 November I was entering data into a Santandar Bank web site (from my home)and Trusteer noticed that the IP address of the site was 118.224.30.196 - WHOIS doesn't list it but ADNIC does, seems it's the economic and financial development body within the Chinese government in Beijing! Hmm I think to myself, I wonder what that's all about and I run a pretty clean machine, at least I thought I did!!!!

[Puccini]

brahmburgers, it just occurred to me that in a case as serious as yours you should completely reformat you hard disk and re-install windows and all application programs from scratch. Backup all your data first, of course.

The first application you re-install should be an anti-virus program and you use it to scan every application before you re-install it and scan all data files.

[manarak]

- do not rely on "password tools" to store your passwords.

Firstly, these tools are software, and any software can be broken into.

Secondly, being "password storage" tools, they are prime targets for criminals.

If you really need to store your passwords in a file, use a simple text editor like notepad, textpad, etc. and write your accounts and passwords in there.

Then zip or rar the file and set a password, and store the zipped file on a USB stick.

Additional security can be achieved by zipping the file a second time with another password.

Don't forget to delete the unzipped version!

For the most part, everything you posted is good advice, but I disagree with this password protection technique..

Password protected zip files are an easy target for brute force or rainbow table attacks. Also, if you're on a computer comprimised with a keylogger, this method won't work at all since your password will be in plaintext as you copy and paste it into the password field.

If you do use this technique, make sure you follow some additional guidelines:

-Never use it on a computer that you don't know is secure

-Use a zip/compression program that supports higher encryption such as AES-256, and make sure you use it

-Set your zip password to at least 12 characters, and use a mix of letters, numbers, and symbols

-Name it something that doesn't draw attention. AllMyBankPasswords.zip isn't a good idea.

Thanks for the news about Threatfire, it seems I will have to find another prog then.

Threatfire continues to alert me on strange behaviors though.

Huma79, yes, all good advice.

Of course the USB stick should be made on a secure computer!

ZIP passwords, yes, more than 12 of course and special characters - after a while one forgets to tell people how a password should look, "123456" is not a good password (but it will give you admin rights in too many systems).

And yes, this method is not defending against keyloggers, it defends against attacks on password storage utilities, and is a way to keep your passwords safe from troyans.