A colleage of mine has just found his bank account cleared out - the thief logged on with his credentials and transfered money elsewhere, but the bank's logs show that it was done from a different IP address from his (his is static, so easy to spot). We're not sure how the details were obtained yet - looking now - but we're assuming something like:

http://news.bbc.co.uk/1/hi/technology/4173218.stm

The worrying thing is that he's not a numpty, but the kind of person who could reasonably think it "couldn't happen to him"; he's technically competent, and was running regularly-patched XP/SP2 and anti-virus, plus A-squared, spybot and MS anti-spyware. Nothing he runs spotted whatever did it. He was running Zone Labs Integrity Desktop (which I think is the corporate edition of Zone Alarm) but looking at the system logs it failed a couple of days ago - that's unusual, so i'm not sure if it was accidental or if it was taken out to stop an outbound warning appearing.

Anyway - heads up. If you're running XP/IE6 then it's worth being extra careful at the moment while the Anti-spyware lot catch up.

Evo, don't know which bank your friend was with, but mine has a two stage login process.
The first is the normal username/password sequence, the second stage asks me to supply specific characters from a previously chosen phrase - eg something like the 2nd 4th and last characters of an n character long word or phrase.
My wife's bank - a different one - also has a very similar system.

This means the details cannot be captured by a keylogger unless it observes at least 9 or maybe more logons.

Maybe your friends bank is negligent in not providing a more secure logon, or maybe the thief got the data some other way?

Natwest. I've never used them, so I don't know what the login process is.

He's never written anything down, so the computer seems the obvious choice - haven't had a chance to fiddle with Hijack This! yet, but none of the usual suspects have found anything yet.

Very interesting indeed, I'm more than curious to find out what the cause was, especially since he's taken reasonable precautions about security.

Thanks for the heads up, Evo. The warning appears to have originated from a company called 'Sunbelt' and they have released a check programme here (http://research.sunbelt-software.com/ssaclean.cfm?download) for the key-logger.

PS Hope the programme is not a key-logger......................:{

Evo, could you ask your friend to describe the login process he/she normally goes through. IF it includes the 2nd stage challenge/answer section then the home PC is most unlikely to be the culprit and you could be looking at something more sinister.

Yes, very worrying.

I have a 5 stage login at my bank and I feel comfortable with that. What bothers me is that the bank did not question a clear-out, they usually do.

Still best to be aware.

Evo, have done a check and Nat West have a multi stage login process that includes a challenge response section designed to defeat a key logger.
Therefore I think there has to be more to your intial post than meets the eye.
Has your friend been the victim of a phishing scam?

Yes, we now think he was most probably 'phished', but he's not sure how - he gets the standard phishing emails, but all he can remember are the usual ones that ask for the whole password, and nothing that looked similar to the real log-on process. Some kind of redirection to a fake webpage could be possible (DNS poisoning?) but that would only capture elements of the password. He doesn't remember a string of logon failures that could let them capture lots of characters. It's an odd one.

A more worrying possibility is that it was an inside job. It's impossible to know what goes on internally, but it was suggested as realistic by somebody who should know (he was lead architect for their original pre-RBS online banking system, so he knows internet banking very, very well).

Anyway, it's now in the hands of the police, who seem unusually interested ... so there may be more going on than we know :confused: But it has rather shaken my confidence in online banking - if it could happen to him, it could happen to me...! :ugh:

stickyb - sorry for the full inbox message you got, i've been away for a few days and missed it.

For anybody worried about phishing attacks or bogus websites, then i would most strongly recommend installing SPOOFSTICK, a smal but very effective piece of free software obtainable here (http://www.spoofstick.com/)

It gives you a visual check that the site you are on is actually the site you thought you were visiting.

Also, NetCraft at http://news.netcraft.com/ which purports to be anti-phishing software in a more direct sense than SpoofStick.

Nr-F

Have checked out your recommendation and not sure I like it. It doesn't give the plain simple information the Spoofstick does, but it does contact it's home base for every page you display, which can add considerably to your internet traffic.

Also, the code seems to have some holes in it, such that if it cannot contact its home site it goes into a loop trying, using up 100% of the cpu and making your system unusable. Therefore if netcraft went off the air, or your isp decided to block it, or whatever, you could have no internet access unless you uninstall it.

I frequently work offline, with no access to the internet. NetCraft is installed on both firefox (primary browser) and IE (use it when I'm forced to).

I've not experienced the problems you have. Certainly it tries to update every time you kick off an IE session, and if it's active it tries to check each new site, but that's not a huge hit.

I don't think Natwest have a call centre in India, but it could happen anywhere. From the BBC News site..http://news.bbc.co.uk/2/hi/uk_news/4121934.stm

Police are investigating reports that the bank account details of 1,000 UK customers, held by Indian call centres, were sold to an undercover reporter.

The Sun alleged the computer expert told the reporter he could sell up to 200,000 account details, obtained from fraudulent call centre workers, each month.

Details handed to the reporter had been examined by a security expert who had indicated they were genuine, the paper said.

The information passed on could have been used to raid the accounts of victims or to clone credit cards.

The allegations in the Sun follow the April arrests of former call centre staff in western India in April.

They were said to have obtained passwords and then after leaving the company transferred money out of customer accounts.