fraud fraud fraud

[Craig234]

So I just got an e-mail from the bank fraud department asking if a charge over $800 is valid.

It's not, I clicked no, it said 'this e-mail has already had a response' and gave a phone number.

I checked and there's also a charge for over $1300. I called them, and they said yes, they got a response confirming the purchase four minutes after the fraud alert was sent from my account.

They also had a request to pre-approve a $2500 charge. So I had them cancel that account.

What I was curious about was how my e-mail would have been compromised. It's not an easy password to guess and I run malwarebytes from time to time to check on things like keyloggers.

One odd thing, I have been getting periodic messages for months about unauthorized login attempts that look legitimate, but ignored them - who knows. Guess there was more to it.

So I ran Malwarebytes again, nothing found, changed the password, and checked the account recent activity.

It shows every few days, some sort of login attempt from a different country, all unsuccessful - but nothing today to explain how they'd have been on my account and responded to that e-mail.

In fact here's the list below, with my e-mail removed, no successful logins (I've been logged in for months, so it doesn't show me logging in):

Protocol: IMAP
IP: 141.168.149.22
Time: 4 hours ago
Approximate location: Australia
Type: Unsuccessful sync
Look unfamiliar?
Secure your account

Protocol: IMAP
IP: 2001:e68:5050:4d39:1e5f:2bff:fe00:e880
Time: 10/21/2018 3:40 PM
Approximate location: Malaysia
Type: Unsuccessful sync
Look unfamiliar?
Secure your account

Protocol: IMAP
IP: 200.7.158.71
Time: 10/20/2018 11:02 AM
Approximate location: Argentina
Type: Unsuccessful sync
Look unfamiliar?
Secure your account

Protocol: IMAP
IP: 223.204.198.82
Time: 10/20/2018 11:02 AM
Approximate location: Thailand
Type: Unsuccessful sync
Look unfamiliar?
Secure your account

Protocol: IMAP
IP: 200.7.158.71
Time: 10/20/2018 11:02 AM
Approximate location: Argentina
Type: Unsuccessful sync
Look unfamiliar?
Secure your account

Protocol: IMAP
IP: 185.138.133.65
Time: 10/20/2018 11:02 AM
Approximate location: Palestinian Authority
Type: Unsuccessful sync
Look unfamiliar?
Secure your account

Protocol: IMAP
IP: 2001:e68:5087:650:12be:f5ff:fe31:28e0
Time: 10/17/2018 4:03 PM
Approximate location: Malaysia
Type: Unsuccessful sync
Look unfamiliar?
Secure your account

Protocol: IMAP
IP: 2001:e68:504c:b033:12be:f5ff:fe29:29b0
Time: 10/13/2018 4:49 PM
Approximate location: Malaysia
Type: Unsuccessful sync
Look unfamiliar?
Secure your account

Protocol: IMAP
IP: 36.82.101.141
Time: 10/10/2018 11:23 AM
Approximate location: Indonesia
Type: Unsuccessful sync
Look unfamiliar?
Secure your account

Protocol: IMAP
IP: 125.166.116.230
Time: 10/10/2018 11:23 AM
Approximate location: Indonesia
Type: Unsuccessful sync
Look unfamiliar?
Secure your account

Protocol: IMAP
IP: 27.72.73.180
Time: 10/10/2018 11:23 AM
Approximate location: Vietnam
Type: Unsuccessful sync
Look unfamiliar?
Secure your account

Protocol: IMAP
IP: 223.24.22.36
Time: 10/10/2018 11:23 AM
Approximate location: Thailand
Type: Unsuccessful sync
Look unfamiliar?
Secure your account

Protocol: IMAP
IP: 175.140.82.24
Time: 10/7/2018 1:33 AM
Approximate location: Malaysia
Type: Unsuccessful sync
Look unfamiliar?
Secure your account

Protocol: IMAP
IP: 177.11.244.42
Time: 10/4/2018 9:09 PM
Approximate location: Brazil
Type: Unsuccessful sync
Look unfamiliar?
Secure your account

Protocol: IMAP
IP: 210.210.162.51
Time: 9/27/2018 7:39 PM
Approximate location: Indonesia
Type: Unsuccessful sync

 

[UsandThem]

The compromise might not even originated from your PC. One of the companies you have business with could have had their systems compromised.

But yeah, ignoring unsuccessful login attempts for months was not a great move. You should have talked to your bank and had your account / debit card changed. Also, it is never a good idea to click on links, attachments, or buttons in emails as it could not be legitimate email and could open yourself to malware, loggers, viruses, or skim your login credentials by taking you to a non-legit site.

 

[Carson Dyle]

Are you quite sure the email was from your bank? Did you called the number in the email, or did you call another number that you had on hand for your bank?

When you say you "checked" your account, was that over the phone with whoever you were talking to, or was it online, in the way you normally check your bank account?

 

[Craig234]

The compromise might not even originated from your PC. One of the companies you have business with could have had their systems compromised.

But yeah, ignoring unsuccessful login attempts for months was not a great move. You should have talked to your bank and had your account / debit card changed. Also, it is never a good idea to click on links, attachments, or buttons in emails as it could not be legitimate email and could open yourself to malware, loggers, viruses, or skim your login credentials by taking you to a non-legit site.

Well, the unauthorized attempts on e-mail weren't linked to any financial institutions - but as soon as this happened, as I said, the card was cancelled and they credit the amounts.

I generally don't click on such things, and doubt that was the source. It's still a mystery how the bank could have sent an e-mail for confirmation, and without any record on the account of having logged in, they responded to the e-mail.

The e-mail addressed is changed just in case, but there's not much I can do about an automated attempt to log in.

 

[Jaskalas]

Was the old password to the e-mail address used for any websites, at any time in the past?

I ended up using a unique sentence I don't use anywhere else for my primary e-mail.

 

[Craig234]

Was the old password to the e-mail address used for any websites, at any time in the past?

Yes. But that doesn't explain how they got the credit card info, which isn't mentioned in e-mail.

 

[UsandThem]

Yes. But that doesn't explain how they got the credit card info, which isn't mentioned in e-mail.

There have been so many data breaches at places like Target, Home Depot, Newegg, Fifth Third Bank, one of the credit agencies, IRS, etc., it's not a surprise your credit card info showed up somewhere. I've had to change my credit and debit cards at least 3 times in the last 4 years.

You will never likely know when it was compromised, but you now know it is.

 

[Carson Dyle]

I've had to change my credit and debit cards at least 3 times in the last 4 years.

Because someone used your cards, or because you read about a data breach in the news?

 

[UsandThem]

Because someone used your cards, or because you read about a data breach in the news?

My bank sent me letters saying they detected some type of fraud, so they issued me new cards. One of them was likely from using my card in Home Depot.

However, once I decided to have my card replaced because of the Target breach (where the hackers were able to get the card number, pins, and personal info from the "Red Card" discount where you linked your bank to it).

 

[Craig234]

There have been so many data breaches at places like Target, Home Depot, Newegg, Fifth Third Bank, one of the credit agencies, IRS, etc., it's not a surprise your credit card info showed up somewhere. I've had to change my credit and debit cards at least 3 times in the last 4 years.

You will never likely know when it was compromised, but you now know it is.

The mystery is that both the credit card AND my e-mail are apparently compromised, which couldn't happen without a keylogger I've checked for and didn't find, AND how they were able to reply to a bank e-mail confirming a fraudulent charge without any record of the login.

 

[Craig234]

My bank sent me letters saying they detected some type of fraud, so they issued me new cards. One of them was likely from using my card in Home Depot.

However, once I decided to have my card replaced because of the Target breach (where the hackers were able to get the card number, pins, and personal info from the "Red Card" discount where you linked your bank to it).

This was specifically tied to three fraudulent uses of the card, though, not a general situation like a data breech.

 

[UsandThem]

This was specifically tied to three fraudulent uses of the card, though, not a general situation like a data breech.

???

It was tied to hackers/malware getting into the payment processing / store software. When they tried to charge my card, it must have been a foreign transaction attempt which triggered a fraud alert at my bank.

Concerning them having your email address as well, I'm sure you're signed up for emails, promotions, loyalty cards, or even the email attached to the card with your online account. If you think you have a key logger on your PC, you should format it, and install a good security software. From there, only go to sites you know are 100% safe, and don't click on emails.

Anyways, good luck on figuring everything out, as I am outta here!

 

[Carson Dyle]

The mystery is that both the credit card AND my e-mail are apparently compromised, which couldn't happen without a keylogger I've checked for and didn't find, AND how they were able to reply to a bank e-mail confirming a fraudulent charge without any record of the login.

Good questions. Sounds too coincidental to me to have actually happened.

Does your bank actually use email to confirm a credit card charge? Why did they feel a need to confirm it in the first place?

Are you SURE your fraud email originated from your bank? Please check your online account and see whether or not it's closed, as you think. Or whether something else has happened to it.

 

[Craig234]

???

It was tied to hackers/malware getting into the payment processing / store software. When they tried to charge my card, it must have been a foreign transaction attempt which triggered a fraud alert at my bank.

Concerning them having your email address as well, I'm sure you're signed up for emails, promotions, loyalty cards, or even the email attached to the card with your online account. If you think you have a key logger on your PC, you should format it, and install a good security software. From there, only go to sites you know are 100% safe, and don't click on emails.

Anyways, good luck on figuring everything out, as I am outta here!

No, not have my e-mail address, but *respond to an e-mail from my bank confirming a purchase*, without leaving any login history, implying they have the e-mail password, AND how did they not leave a login history? I don't think I have a keylogger - I said that's the only way I see for this to happen and Malwarebytes did not find one.

 

[Lanyap]

Check for rootkits. Use several different free anti-rootkit softwares. Malwarebytes has a stand alone anti-root kit prog.

 

[Craig234]

I ran Avast that says it checks for rootkits, no virus found.