Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A financial account of mine has been hacked and money stolen


  • Please log in to reply
3 replies to this topic

#1 ThisIsTheIdea

ThisIsTheIdea

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 02 June 2013 - 09:16 AM

Hi, I'd very much appreciate any help to understand IP addresses better than I do!

 

A financial account of mine has been hacked and money stolen. I'm trying to find when the security on the account was first breached and someone managed to obtain my correct login details.

 

I have a list of logins to the account, given to me by the account provider, and two (and only two) out of over a hundred are from foreign IP addresses (Romania, Indonesia) as opposed to addresses in the UK, where I was resident throughout the relevant period.

 

My question: Is there any conceivable way I myself could have made a legitimate login from either address? EG could my UK provider (then Plusnet) have somehow routed my UK internet activity via either foreign country for some reason? Or must the logins have been by someone in those countries, or at least someone using a proxy to pretend to be so? I myself have never knowingly used a VPN or proxy, so that can't be the explanation.

 

Thanks for any help with this; your answer could be crucial in helping to discover who was responsible for this security lapse.

 

Edit: Split off from another topic. This will eliminate confusion between two problems

Roger


Edited by rotor123, 02 June 2013 - 10:49 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,122 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:54 PM

Posted 03 June 2013 - 06:28 AM

If you were the victim of an Internet scam, fraud, hacking or identity theft, banking and credit card institutions should be notified immediately of the possible security breach. You should also file a report with your local law enforcement agency which most likely will have a Cyber Unit specializing in tracking down hackers. Failure to notify your financial institution and local law enforcement may result in the bank refusing to reimburse funds lost due to fraud and similar criminal activity. For more detailed instructions as to what you should do, please read:Filing a Report:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 ThisIsTheIdea

ThisIsTheIdea
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 04 June 2013 - 02:30 PM

Thanks for that thorough post. Much helpful information there.

 

But on my specific question, I'm still looking for an answer.

 

Is the ONLY possible explanation of a login from a foreign IP address (Romania and Indonesia in this case) that some unauthorised person has accessed my account from that country?

 

Or is it possible my internet provider might somehow route me via a foreign IP address, for whatever reason?

 

The answer could be absolutely critical in determining whether I can show that the e-wallet provider in question was responsible for allowing my account to be hacked.

 

Thanks in advance for any knowledgeable help.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,122 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:54 PM

Posted 04 June 2013 - 09:33 PM

I am not familiar with your UK provider (Plusnet) or how they specifically operate over there. Neither their website nor Wikipedia provide sufficient information. However Wikipedia did include this note:
 

Webmail security breach
At the beginning of May 2007 Plusnet suffered an attack on its web-based email system which was due to a previously unidentified vulnerability in the third-party software that was being used. Users accessing the webmail system may have been exposed to a trojan, although no reports of this surfaced. This trojan will have been ineffective on a fully patched Windows machine running regularly updated anti-virus software, or on non-Windows machines. A list of email addresses was harvested from the webmail platform and put into use by one or more third parties to send spam. These addresses included the user's own webmail address, as well as email addresses used previously and entries in the online address book. Users who connected to the specific webmail server that was attacked may have had their login details skimmed, although the purpose of the attack seems to have been simply to harvest email addresses.

Wikipedia: Plusnet

This Web mail Incident Report is where Plusnet explained to their customers what happened and what they did to resolve the problem and prevent something similar in the future. IMO those steps were not very thorough but then again they are not providing specifics in public most likely to prevent the criminals from reading that same information. It has been several years since that incident and its always possible they could have been compromised again which in turn would compromise their customers. It's also possible another servicing ISP they work with could have been compromised.

Generally an ISP provides Internet services through a data center which houses all of the company's servers and networking equipment. They usually purchase telecommunication lines from local telecommunications utilities in order to transmit traffic to larger Tier-1 or Tier-2 ISPs and become part of their network. In a nutshell, all this is a network of networks. There is no way for me to know what companies are all involved, where they are located, what security measures each has in place, etc. Thus, I don't have enough information to draw any conclusions that Plusnet is at fault. A thorough investigation by a federal agency via local law enfocement would have more resources to gather the necessary information to answer your question.

It's also possible that only your computer was hacked. Romania and Indonesia are notorious places for attackers to work in search of vulnerable computers. Hackers use "port scanning" a popular reconnaissance technique, to search for vulnerable computers with open ports using IP addresses or a group of random IP address ranges so they can break in and install malicious programs. Botnets and Zombie computers scour the net, randomly scanning a block of IP addresses, searching for vulnerable ports (commonly probed ports) and make repeated attempts to access them. Once a computer is compromised an attacker could access all or your personal information, including logins, passwords, etc.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users