Bloody hell that’s awful.

I’ve been doing some work in customer service with another bank and often see attempted phishing stuff, but it’s usually totally obvious – not as sophisticated as this.

If it helps, these things usually get resolved once it’s clear that there’s nothing fishy going on – but you should be prepared to jump through lots of hoops and try to be patient and understand that the bank needs to make sure you are not scamming them.

I really think devices should be able to verify the identity of banking sites, it shouldn’t be too hard to setup a database to check against and flag up if there’s a discrepancy in URLs?

Nasty attack there – misleading you into authorise a new transfer
by asking you to re-authenticate .
My online account requires the authorisation of a new transfer using
strict “authorise” rather than “authenticate” procedures, even so
this could be cleverly spun to lead you with the right story/questions
to do as the web page tells you to do – which is what it has done.

Going through my browsing history, it’s showing up ‘send money’ and ‘confirm transfer’ pages, all of these have a legit coop web address….none of those pages showed up on my screen at the time though!

they would have to be doing some sort of man in the middle attack and I didn’t think that was possible with https

The only thing I can think is it’s some sort of sophisticated browser hijack which waits for you to clear security and then fires its own data before you can continue. I’m just trying to convince myself whether that’s possible or not; I’m guessing it could be if it’s just sending text to the browser outside of the secure connection endpoint.

Have you tried Googling the rogue account details, see if anyone else has been caught, might shed light on the cause?

Assuming it is an infection:

https://downloads.malwarebytes.com/file/mb3/

… is your next port of call. Run that and let me know what it finds.

Given the value of the potential loss it might be worth getting an ‘official’ expert to go through your pc and produce a report on the sequence of events? Might be worth not changign anything else on your pc for now – removing malware or whatever might make proof more difficult to obtain.

Your router may show details of traffic too. And ISP’s have to keep it now but not sure what you need to do to get their info…

Will the Co-Op have logged the IP addresses of the login attempts? Might not be able to find the attacker, but that might pin down when and how it happened.

That’s what I would expect as its difficult to get in the middle between your pc and the bank. The real question is how they persuaded your browser to display something else 🙁

Unless of course its a completely fake version of your browser. 🙁

Running that now Cougar….please tell me I’ve not fallen for another scam and am about to lose the little bit of cash that I currently have to my name?! ….I’ve only got two days worth of food left!

Just messaged you with the results of that scan cougar

Tom B – are you saying you can see the history of all the transfer pages on your own browser history for the time/date of the fraud transaction?

If so it suggests someone took over your browser and made the transfer via your machine?

If they had this level of control they may well have removed any trace of the history of you visiting their dubious site in the first place.

Out of interest, what browser do you use?

In my browser history, I can see all of the different co-op webpages that I visited on Sunday, after the login pages there are several ‘move money pages’ followed by a website error page. After that was when I logged back in and saw the money missing. I use google chrome.

So did you hit those pages? Sorry, poorly structured question, essentially were you trying to login and move money anyway, or can you see pages that you didn’t visit in your history?

Particularly interested as my wife had her card details used several times recently and I’m not sure where they got all the details including CVV from. I can only think either cloning the card and scanning the CVV in a shop or via online capture.

I was logging in at the time yes, but as for transferring money etc, no, I didn’t click any of those pages….

Just messaged you with the results of that scan cougar

So you have. You’ve got a couple of things in there including a browser / search engine hijack, but nothing I can immediately see that would cause your symptoms. They’re all listed as “PUP” – potentially unwanted programs which are usually annoying rather than malicious – which are deselected for removal by default in MBAM.

Nonetheless, we could do with removing them. I’d uninstall “Advanced System Care” from control panel for a start, along with anything that references bitrco.com or GoSearchMe. You might need to manually reset some settings in Chrome too, but we’ll come to that.

Run MBAM again and tell it remove any leftovers, then reboot and run it again to see if it’s actually clean or if they’ve sprung back.

If you look at the bottom of the log where it gives you a list of files, that should give you a clue as to the source of the infection.

What AV do you use, out of interest?

actually, you might not want to uninstall anything until you have talked to the bank tomorrow. Otherwise they might just assume it really was you doing the transfer rather than a hijack

Here, in fact. Do this:

https://www.pcrisk.com/removal-guides/9351-search-bitcro-com-redirect

(Remove anything that mentions booking.com too.)

Then do the MBAM scans as I suggested. Do not download anything from this site! The advice is sound but I’ve no idea whether their software is legit or not, for every good malware removal site there’s a dozen dodgy ones.

actually, you might not want to uninstall anything until you have talked to the bank tomorrow. Otherwise they might just assume it really was you doing the transfer rather than a hijack

I’d wager they’ll be able to tell from the time stamps anyway, I expect it all happened far faster than anyone can feasibly type. Also, it’s probably an overseas account, and normal users don’t typically transfer their life savings to a random bloke in Nigeria.

Also, it’s probably an overseas account, and normal users don’t typically transfer their life savings to a random bloke in Nigeria

True, but it’s also not unknown for there to be an intermediate UK account that’s only up for a week and the stuff is continually transferred out of there until it is spotted. It’s getting harder to do though so it may have been directly out

I’d airgap the laptop, and wait to hear back from CoOp’s fraud bods.

Working for a bank (not co-op) I can see what’s probably happened. You’ve got malware on your pc that has directed you to a fake site that looks like the co-op. They’ve watched you key in all your details and they’ve opened another screen and logged on using those details.

They’ve then tricked you into entering a reader challenge code which they’ve used on their screen to pay the funds away.

I haven’t seen the co-op site, but on both major banks I’ve worked for they have warnings plastered everywhere that they won’t ask for a challenge code except for when making a payment to a 3rd party for the first time.

I suspect you’ll struggle to challenge them if they take the stance they won’t refund you (unless they get lucky and manage to recover the funds).

Your best bet is lodging an official complaint with their customer services and see if they are willing to refund you out of goodwill (depends how much money was paid away). If they say no you could ask it to be referred to the financial ombudsman – I’m not sure if they’ll do much in this case though. It does often cost the bank (especially later in the year) if the ombudsman get involved, so they sometimes will do something to avoid that cost.

Possible, except his browser is showing the correctly urls, not fake ones

Check to see what Chrome extensions you have installed….

Check to see what Chrome extensions you have installed….

Going off the MBAM log, he’s using IE I think.

http://www.securityweek.com/remote-overlay-toolkit-makes-online-banking-fraud-easy

Possibly you have been compromised by this, when you log in it overlays an image over the top of your browser asking for your token details etc 🙁

Cougar – I think he said Chrome earlier in the thread…

Ah – you’re right, mia culpa.

An overlay is most likely if that is possible

Possibly you have been compromised by this, when you log in it overlays an image over the top of your browser asking for your token details etc

Wow. Yeah, it sounds like it, doesn’t it.

Bizarre that neither AV nor MBAM flagged it up, mind. Might be worth an online scan in case the installed AV software’s been compromised (unless of course, there isn’t any installed).

http://www.eset.co.uk/Antivirus-Utilities/Online-Scanner

Id have been surprised that he was able to download the mbam stuff if he was that compromised :(.

Just on programs to try and stop the malware, some of the banks recommend something called trusteer rapport. Think it’s made by IBM, but most banks recommend it and let you download it for free.

Only issue I found with it was that although I didn’t appear to get any malware, it massively slowed down my laptop. That said it was never a great laptop in terms of speeds even from new (even though it should have been ok with the specs in it).

If it’s malware, is coop bank not a pretty odd target? I mean it must be a quite small usershare even if the malware targets an array of banks.

For what little it’s worth I got screwed over in a similar way (tricked into authenticating a transfer; yeah yeah, I know), and it was impressively complex – they’d set up a recipient account in my name, sent texts from the same number Barclays actually use etc, looks like it stemmed from the bank having not updated my home address and a spare card going walkabout. Got the money back with no issues, despite arguably being culpable.

I’d expect a degree of uniformity in how banks handle this sort of thing.

some of the banks recommend something called trusteer rapport

Things may have changed since I last looked as it was a few years ago, but when my bank started pimping it I tried and failed to get any information about what it actually did. And if you think I’m installing some third party “security” software without knowing exactly what it does, you’re one off.

Was defo using chrome…..av had expired so was just using firewall/defender 😕

Things may have changed since I last looked as it was a few years ago, but when my bank started pimping it I tried and failed to get any information about what it actually did

http://www.trusteer.com/User-Guides/Rapport-User-Guide-3.5.1207/747.htm

To my uniformed brain it seems to work like a “super” security certificate, making sure that you’re actually connecting to the website you think you are e.g. your bank, and warning you if there’s anything amiss. Claims to block lots of common methods that scammers/malware might use such as altering the way the browser works, etc. It also stops screen grabs & claims to stop key loggers.

And if you think I’m installing some third party “security” software

It’s from IBM, not merely a random third party to my mind. I’ve got no reason not to trust them. I suppose the tinfoil hat brigade might want to steer clear; seems like a great thing to have though otherwise especially for less informed or more vulnerable computer users.

av had expired so was just using firewall/defender

which is just fine, as long as it was enabled and running updates regularly

There is an s missing from http – just saying

In mbam make sure you do a custom scan and select the rootkit check box.

Particularly interested as my wife had her card details used several times recently and I’m not sure where they got all the details including CVV from. I can only think either cloning the card and scanning the CVV in a shop or via online capture.

You could have a key logger on the laptop. Or the perps have managed to crack an obscure site (or bought the details) that your wife uses that has exactly the same email address and password as, say, Amazon. Fairly simple to pick out the details they need then, tho CCV would be harder.

So many ways to do it, even just ringing up some company and paying over the phone, who knows who is just jotting the details down at same time as processng them.