Strange phishing attack?

Question

When I login to wachovia/wells fargo/amazon/paypal , no matter the user/pass that I insert, i get a "we need to verify your information" page where they ask me everything, from the atm pin to my ssn to my mom's maiden name (LOL)

Then, when i insert bogus data, they continue to ask more and more personal data, like frequent flyer numbers, verified by visa password, and so on, until i get to a verified by visa authorization page (with right SSL on visa.com!!!) for a sum hidden by a white div.

More data:

1. The address is right (not www.amazon.com.frtrereeliamdumb.com, but amazon.com WITH THE RIGHT SSL)
2. The hosts file is not modified
3. the dns is reliable, 8.8.8.8
4. amazon.com resolves right
5. the ssl is valid
6. sniffing traffic does not show anything suspicious
7. i have wired internet
8. No strange process running
9. Opera is unaffected, firefox and ie are affected (so it's not a rogue ff extension)
10. I care about security and i run everything in sandboxie, don't have java, have an av (so, how i could get this virus???)
11. admin programs like regedit and taskmgr are working and not blocked by this virus

What can be???

Answer 1

You, sir, have malware installed on your client computer. This software likely "listens" to the common browser processes (i.e. IE and FF) and intercepts HTTP traffic, appending "frtree...com" to it.

Hard to say exactly what it is or how it got there, but one thing is clear: you need to find a virus scanner that will remove it, or roll your OS.

Edit: it's been my experience that it takes far less time (and less stress of being absolutely sure you removed it) to hose the OS than it does to track down the bugger and kill it.

Answer 2

Is it possible your router has been compromised by a virus and is redirecting traffic?

Answer 3

You may be infected

Follow the order given below to disinfect your PC

1.) On a PC that is Not infected, Make a boot AV disc then boot from the disc on the Infected PC and scan the hard drive, remove any infections it finds, I prefer the Kaspersky disc myself. The New 2010 Kaspersky disc can update the AV dat files if you are connected to the internet at the time of scan and is suggested to update before the scan.

http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/

2.) Then: Install free MBAM, run the program and go to the Update tab and update it, then go to the Scanner Tab and do a quick scan, select and remove anything it finds.

http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

3.) When MBAM is done install SAS free version, run a quick scan, remove what it automatically selects. http://www.superantispyware.com/download.html

These last 2 are not AV softwares like Norton, they are on demand scanners that only scan for nasties when you run the program and will not interfere with your installed AV, these can be run once a day or week to ensure you are not infected. Be sure you update them before each daily-weekly scan.

Answer 4

Double check your network settings. What could have happened is that you've got some malware which is pointing you to a bad Domain Name Server. This means that it looks like you are reaching the correct web addresses even when you are clearly not.

Another way to test this is to try and access known anti malware sites like Malwarebtyes. These are often blocked.

Get the Local Area Connection Properties dialog and select the General tab. Then select the "Internet Protocol (TCP/IP)" line and select "Properties"

In the new dialog on the General tab check whether the DNS server option has been set to "User the following DNS server address". If it has take a note of the IP addresses.

Then go to your ISP and see if they recommended that you set these values. If they don't reset the switch to "Obtain DNS server address automatically". If they do, check that the IP addresses match.

You will still need to run the steps to clean your machine as there is no guarantee that there won't be a process running that keeps this setting pointing to the bad servers.