Forum menu
Will the Co-Op have logged the IP addresses of the login attempts? Might not be able to find the attacker, but that might pin down when and how it happened.
That's what I would expect as its difficult to get in the middle between your pc and the bank. The real question is how they persuaded your browser to display something else 🙁
Unless of course its a completely fake version of your browser. 🙁
Running that now Cougar....please tell me I've not fallen for another scam and am about to lose the little bit of cash that I currently have to my name?! ....I've only got two days worth of food left!
Just messaged you with the results of that scan cougar
Tom B - are you saying you can see the history of all the transfer pages on your own browser history for the time/date of the fraud transaction?
If so it suggests someone took over your browser and made the transfer via your machine?
If they had this level of control they may well have removed any trace of the history of you visiting their dubious site in the first place.
Out of interest, what browser do you use?
In my browser history, I can see all of the different co-op webpages that I visited on Sunday, after the login pages there are several 'move money pages' followed by a website error page. After that was when I logged back in and saw the money missing. I use google chrome.
So did you hit those pages? Sorry, poorly structured question, essentially were you trying to login and move money anyway, or can you see pages that you didn't visit in your history?
Particularly interested as my wife had her card details used several times recently and I'm not sure where they got all the details including CVV from. I can only think either cloning the card and scanning the CVV in a shop or via online capture.
I was logging in at the time yes, but as for transferring money etc, no, I didn't click any of those pages....
Just messaged you with the results of that scan cougar
So you have. You've got a couple of things in there including a browser / search engine hijack, but nothing I can immediately see that would cause your symptoms. They're all listed as "PUP" - potentially unwanted programs which are usually annoying rather than malicious - which are deselected for removal by default in MBAM.
Nonetheless, we could do with removing them. I'd uninstall "Advanced System Care" from control panel for a start, along with anything that references bitrco.com or GoSearchMe. You might need to manually reset some settings in Chrome too, but we'll come to that.
Run MBAM again and tell it remove any leftovers, then reboot and run it again to see if it's actually clean or if they've sprung back.
If you look at the bottom of the log where it gives you a list of files, that should give you a clue as to the source of the infection.
What AV do you use, out of interest?
actually, you might [i]not[/i] want to uninstall anything until you have talked to the bank tomorrow. Otherwise they might just assume it really was you doing the transfer rather than a hijack
Here, in fact. Do this:
https://www.pcrisk.com/removal-guides/9351-search-bitcro-com-redirect
(Remove anything that mentions booking.com too.)
Then do the MBAM scans as I suggested. Do not download anything from this site! The advice is sound but I've no idea whether their software is legit or not, for every good malware removal site there's a dozen dodgy ones.
actually, you might not want to uninstall anything until you have talked to the bank tomorrow. Otherwise they might just assume it really was you doing the transfer rather than a hijack
I'd wager they'll be able to tell from the time stamps anyway, I expect it all happened far faster than anyone can feasibly type. Also, it's probably an overseas account, and normal users don't typically transfer their life savings to a random bloke in Nigeria.
True, but it's also not unknown for there to be an intermediate UK account that's only up for a week and the stuff is continually transferred out of there until it is spotted. It's getting harder to do though so it may have been directly outAlso, it's probably an overseas account, and normal users don't typically transfer their life savings to a random bloke in Nigeria
I'd airgap the laptop, and wait to hear back from CoOp's fraud bods.
Working for a bank (not co-op) I can see what's probably happened. You've got malware on your pc that has directed you to a fake site that looks like the co-op. They've watched you key in all your details and they've opened another screen and logged on using those details.
They've then tricked you into entering a reader challenge code which they've used on their screen to pay the funds away.
I haven't seen the co-op site, but on both major banks I've worked for they have warnings plastered everywhere that they won't ask for a challenge code except for when making a payment to a 3rd party for the first time.
I suspect you'll struggle to challenge them if they take the stance they won't refund you (unless they get lucky and manage to recover the funds).
Your best bet is lodging an official complaint with their customer services and see if they are willing to refund you out of goodwill (depends how much money was paid away). If they say no you could ask it to be referred to the financial ombudsman - I'm not sure if they'll do much in this case though. It does often cost the bank (especially later in the year) if the ombudsman get involved, so they sometimes will do something to avoid that cost.
Possible, except his browser is showing the correctly urls, not fake ones
Check to see what Chrome extensions you have installed....
Check to see what Chrome extensions you have installed....
Going off the MBAM log, he's using IE I think.
http://www.securityweek.com/remote-overlay-toolkit-makes-online-banking-fraud-easy
Possibly you have been compromised by this, when you log in it overlays an image over the top of your browser asking for your token details etc 🙁
Cougar - I think he said Chrome earlier in the thread...
Ah - you're right, mia culpa.
An overlay is most likely if that is possible
Possibly you have been compromised by this, when you log in it overlays an image over the top of your browser asking for your token details etc
Wow. Yeah, it sounds like it, doesn't it.
Bizarre that neither AV nor MBAM flagged it up, mind. Might be worth an online scan in case the installed AV software's been compromised (unless of course, there isn't any installed).
http://www.eset.co.uk/Antivirus-Utilities/Online-Scanner
Id have been surprised that he was able to download the mbam stuff if he was that compromised :(.
Just on programs to try and stop the malware, some of the banks recommend something called trusteer rapport. Think it's made by IBM, but most banks recommend it and let you download it for free.
Only issue I found with it was that although I didn't appear to get any malware, it massively slowed down my laptop. That said it was never a great laptop in terms of speeds even from new (even though it should have been ok with the specs in it).
If it's malware, is coop bank not a pretty odd target? I mean it must be a quite small usershare even if the malware targets an array of banks.
For what little it's worth I got screwed over in a similar way (tricked into authenticating a transfer; yeah yeah, I know), and it was impressively complex - they'd set up a recipient account in my name, sent texts from the same number Barclays actually use etc, looks like it stemmed from the bank having not updated my home address and a spare card going walkabout. Got the money back with no issues, despite arguably being culpable.
I'd expect a degree of uniformity in how banks handle this sort of thing.
some of the banks recommend something called trusteer rapport
Things may have changed since I last looked as it was a few years ago, but when my bank started pimping it I tried and failed to get any information about what it actually [i]did[/i]. And if you think I'm installing some third party "security" software without knowing [b]exactly[/b] what it does, you're one off.
Was defo using chrome.....av had expired so was just using firewall/defender 😕
Things may have changed since I last looked as it was a few years ago, but when my bank started pimping it I tried and failed to get any information about what it actually did
[url= http://www.trusteer.com/User-Guides/Rapport-User-Guide-3.5.1207/747.htm ]http://www.trusteer.com/User-Guides/Rapport-User-Guide-3.5.1207/747.htm[/url]
To my uniformed brain it seems to work like a "super" security certificate, making sure that you're actually connecting to the website you think you are e.g. your bank, and warning you if there's anything amiss. Claims to block lots of common methods that scammers/malware might use such as altering the way the browser works, etc. It also stops screen grabs & claims to stop key loggers.
It's from IBM, not merely a random third party to my mind. I've got no reason not to trust them. I suppose the tinfoil hat brigade might want to steer clear; seems like a great thing to have though otherwise especially for less informed or more vulnerable computer users.And if you think I'm installing some third party "security" software
which is just fine, as long as it was enabled and running updates regularlyav had expired so was just using firewall/defender
There is an s missing from http - just saying
In mbam make sure you do a custom scan and select the rootkit check box.
Particularly interested as my wife had her card details used several times recently and I'm not sure where they got all the details including CVV from. I can only think either cloning the card and scanning the CVV in a shop or via online capture.
You could have a key logger on the laptop. Or the perps have managed to crack an obscure site (or bought the details) that your wife uses that has exactly the same email address and password as, say, Amazon. Fairly simple to pick out the details they need then, tho CCV would be harder.
So many ways to do it, even just ringing up some company and paying over the phone, who knows who is just jotting the details down at same time as processng them.
If it's malware, is coop bank not a pretty odd target? I mean it must be a quite small usershare even if the malware targets an array of banks.
Well, there are still many £millions in the Coop, and if the baddies have worked out their particular authentication process can be 'modified' slightly to work in their advantage they could be an easy target. Also, maybe Coop implies a more elderly audience they might be more likely to fall for phishing scmas etc.
Update, Fraud team manager at Co-Op has upheld the decision to not authorise a refund on the basis that I gave away my Lin number. They really are trying their hardest to avoid being helpful in any way!!!
Do we think that going to the press is worthwhile? I'd imagine that with the amount we're talking (five figure sum) it's pretty news worthy?
I've said it above - you need to get someone who knows what they're doing to examine your pc.
I would talk to a specialist solicitor.
Also talk to ombudsman - be seen to follow appopriate escalation path.
Press? I'd save that for later if it were me but for a five figure sum it might be easier said than done - I'd be frantic by now 🙁
That's crap. I'm not sure that press would be helpful to your cause - the angle would more be about 'making people aware' rather than 'crap, unhelpful bank'. So unless you want 'sadface' in the papers, it's not worth the effort.
Ombudsman might be your best bet. Is it just a single login password, or is there some kind of two-factor authentication provided by the bank? I would have said that the former is inadequate these days given the likely sophistication of the malware/spoofing attack you've experienced.
Keep plugging away at them.
Do we think that going to the press is worthwhile? I'd imagine that with the amount we're talking (five figure sum) it's pretty news worthy?
What have you got to lose?
your.problems@observer.co.uk
consumer.champions@theguardian.com
Email addresses from https://www.theguardian.com/money/2013/nov/20/consumer-work-experts-guardian
I know this may be an unpopular question but, if the OP's PC has been compromised and he's consequently given his secrets away to a cunning third party who has then stolen his cash, why should the bank (and by extension its other customers) be liable to make good the loss?
Unless the bank can be shown to have been negligent or complicit, why are they liable apart from by having more money to throw around?
Sorry, not trying to be provocative just curious.
I assume the CoOp's fraud dept have explained exactly how they think the attack took place to the OP?
1. So it doesn't happen again
2. To explain why they have decided to not refund his money.
Given that they got my PIN number (which seems to be the crux) via the coop's card reader I'd say the the banks security has been pretty negligent? Surely it should be able to be hijacked in this way?
Also, why wasn't a 5 figure transfer flagged up as suspicious by the bank? It's hardly like I routinely move that amount of money around!!!
Tom.
You need them to tell you exactly what they think happened. As I just cannot see how they can say get bent, but not say how they have shifted liability onto you.