A good amount of money has been stolen from my bank account bypassing the double factor authentication.

It may have been mentioned before in this thread, but I think it does merit repeating: work with the bank's web site, and enable all the security measures they offer. And keep your browser/app up to date.

If OP is still interested in the specific CVE, it helps to match it to the affected version of the software. Sometimes, you discover that the CVE has been patched with the most recent update anyway.
 
astyle said:
I would check the release history of Firefox, and see which version was released around that date. It's fairly safe to assume that OP had a somewhat older version. Sometimes people skip a few releases before updating, but I don't expect people to keep very good notes on what version they actually used. A 'version older than a specific release' is usually a good assumption.
Click to expand...

I took the habit to keep and use two FreeBSD installations in two different disks. Sometime I use A,sometimes B. They are the same but they aren't kept perfectly synchronized...
 
covacat said:
most likely it wasn't a firefox exploit
that's complicated stuff and freebsd is an irelevant desktop os / nobody perfects exploits for this
unless you are very high profile target and then the attacker won't buy videogames
Click to expand...
with a shiny solid 9.0+ CVE you do not need to target a specific os. There are enough bugs that are on all platforms. Furthermore, it is more likely that such a vulnerability can be exploited in FreeBSD because lots of mitigations/sandboxing are tied to Linux technologies we unfortunately do not have.

ZioMario have a look at the logs to track when a package was installed, like
grep firefox /var/log/messages| grep pkg
 
Most of the time, just employing common sense like properly and completely logging out, not fighting the suggestion to set up extra security when offered - that is usually enough to keep most opportunistic miscreants at bay. Kind of like having a decent lock on your door. No, it won't stop a Tomahawk missile (or even an 18th century cannonball, for that matter), but it will stop automatic gunfire like a brick wall.
 
ZioMario I've re-read your first post and by info in it, you probably got phished. Go through browser history on all the browsers you accessed e-banking from.

astyle said:
Kind of like having a decent lock on your door. No, it won't stop a Tomahawk missile (or even an 18th century cannonball, for that matter)
Click to expand...

Wouldn't using $5M device to break $5 system prohibit the launch from the get go ... I heard cannonballs aren't cheap nowadays either :D

Kinda what we're talking around here. Firefox 0day would cost a lot at the black market.
 
rootbert said:
with a shiny solid 9.0+ CVE you do not need to target a specific os. There are enough bugs that are on all platforms. Furthermore, it is more likely that such a vulnerability can be exploited in FreeBSD because lots of mitigations/sandboxing are tied to Linux technologies we unfortunately do not have.

ZioMario have a look at the logs to track when a package was installed, like
grep firefox /var/log/messages| grep pkg
Click to expand...

Now I've booted the twin installation of FreeBSD and I've checked the version of Firefox installed : it is 144.0 with a lot of packages to upgrade.
 
Also, if the amounts stolen aren't large enough, forensic analysis won't be done. It costs time and expertise and it simply isn't done for petty crime. Unless somehow your case ties into a larger case.

Example from my country is the usual phone credit card scam. The usual victim is older person who keeps some liquid assets on the credit card, but usually less than 1 paycheck/pension ... just to go out to store cashless, etc. These crimes end up reported and that's it, police says they will investigate via telecom, nothing happens, because police doesn't employ computer specialists just to work on random people's cases. Police will in 100% of the cases point you to the bank or your CC vendor, who may open the case on their side and eventually retrieve the money.

This will most likely happen to you unless the kiddy stole like a new car worth of money.
Your best options are finding out yourself, understanding the situation, plugging the holes in your workflow or software (I still believe simplest answer is best here - you were phished), and talking to your bank. If the kiddy bought a game, the bank may contact whoever sold that game to him.
 
I wondered if you had been unlucky and got something like the Anatsa banking trojan mentioned here on your phone. It doesn't say which infected apps were removed from the appstore. It's specifically targetted at banking too. There may be more than one android banking malware as well. Perhaps the malware is able to attack the banks own app that you said you had on your phone. It's about the right time period too, within the last couple of months. Perhaps there are other apps on the appstore that are still infected with it.

"Anatsa is a classic case of mobile malware rapidly adapting to security research progress. Its stealth tactics, exploitation of accessibility permissions, and ability to shift between hundreds of financial targets make it an ongoing threat for Android users worldwide."

That sounds like the kind of thing they may have used to hack your account.

www.malwarebytes.com

77 malicious apps removed from Google Play Store

Researchers have found 77 malicious apps in the official Google Play Store ranging from adware to state of the art banking Trojans.
www.malwarebytes.com www.malwarebytes.com

OTOH... the fact that they got your CVC code, sounds more like a browser hack, since you said you didn't use the banking website on the phone. Of course they could have used both methods.
 
The case has been solved just right now. I found the smoking gun. I received a spoofed email that looked like it came from my bank, and I clicked the link. I even found on the history the fake webpage showed on that email,so it's sure that I clicked there. I've never been fooled in this way before. I pay a lot of attention to fake emails. It can happen. Tomorrow I will go to the police station to add the evidences I found,where the email of the phisher is very visibile. The domain in the email address even matches the initial of the country where the withdrawal originated. Barcellona with love.
 
It's good to know that you found it. That's a nasty trick they used. Well done for figuring it out anyway.
It would still be interesting to know how they got your CVC, that is a real puzzle.
 
With this situation,its clear that I should make a new bank account. But is FreeBSD and or Android and or Firefox also compromised ? What's the next piece of the puzzle that has been compromised and that I should reset ?
 
I suppose if one wants to do forensic analysis,

Remove the drive from the machine. Install it in another machine, setting the read-only jumper. If no read-only jumper be careful to mount it read-only or better, use a forensic toolkit like sleuthkit found in ports.

Forensic toolkits are not for the faint of heart. Analysis can take weeks, even months.

If a VM, clone the VM (twice). Leave the original offline. Inspect the first copy. Reinstall the O/S and apps from scratch on the second copy, restoring all data from a known good backup.

Again, for a physical machine remove the drive, clone it, use the clone for forensic analysis. Purchase a new drive and reinstall everything on it.

For the phone. Factory reset it and reinstall.

As to why? There is too much uncertainty in this thread.

This is how we handle such situations professionally.
 
ZioMario said:
I received a spoofed email that looked like it came from my bank, and I clicked the link.
Click to expand...
Yeah, that is a classic phishing scam, nothing too sophisticated, a surprisingly easy way to collect the keys needed to make actual withdrawals. But even so, congratulations on being persistent enough to find the phishing email!

Dunno how banks outside of US handle communications with clients, but inside US, more and more finanacial institutions are adopting the policy of not sending unsolicited emails to clients. If an email is associated with a transaction, a bank will go out of its way to make sure the client actually requested that email (i.e. the client's online banking account would have a setting that actually triggers an email to be sent under very specific conditions).

In reality, that setting is a bit spammy, so I ended up having to learn what triggers certain emails to be sent, and what looks legitimate.

To keep things simple, just don't click on links in an email unless you know to expect it. One would think that's common sense.

ZioMario said:
But is FreeBSD and or Android and or Firefox also compromised ? What's the next piece of the puzzle that has been compromised and that I should reset ?
Click to expand...
I frankly think you can relax on that front, now that you found the phishing email. Just relax and make sure your software is up to date. A fresh reinstall (or at least clearing the browser cache) won't hurt.
 
ZioMario said:
The case has been solved just right now. I found the smoking gun. I received a spoofed email that looked like it came from my bank, and I clicked the link.
Click to expand...
I'm running my own mail server and I'm using mail/mutt as MUA. This way I can verify if the e-mail comes from the right sender and I can't click to fast on any HTML link by mistake. The header fields SPF, DKIM, DMARC are displayed in color to verify the compliance. If all is OK I can then open the HTML content in my browser if I want to.
bank.png
 
facedebouc said:
I'm running my own mail server and I'm using mail/mutt as MUA. This way I can verify if the e-mail comes from the right sender and I can't click to fast on any HTML link by mistake. The header fields SPF, DKIM, DMARC are displayed in color to verify the compliance. If all is OK I can then open the HTML content in my browser if I want to.
View attachment 23939
Click to expand...
You can easily verify the URL by hand in a text editor or by verifying that the URL matches the link text. No need for anything complicated.

Well, if you do run your own email service, then yeah, do whatever it takes to keep it safe (even though it's frankly an arms race).
 
In your opinion, if I bring to the bank employee the visual and paper evidences of the phishing dynamic, will this make easier to be refunded or not ?
 
When i had my credit cards hacked the police & bank contacted my ISP to check my website usage etc, never bothered to do forensic examination of pc. I was lucky £984 for russian airline tickets & pizza & 2 on hold purchases. I don't have a passport & don't live in Russia so i got all the money cancelled from the card. If it was purchases in the uk it would be harder to provide proof of non purchase. This morning a work friend has told me his wife had her credit card hacked & purchase done in the last month. They are waiting for the new card to arrive & it already has purchases against it on Uber eats & the bank has already cancelled the card for replacement number two. She has been told to remove the Uber app & factory reset her Iphone.
 
You must log in or register to reply here.
Back
Top