MSN favorites Link Gives Malware Popup 'Windows Security'???

[emtee3511]

I googled and couldn't ask my question clear enough to find any clearly related answer, so I'll ask here --

I have used MSN Premium DSL for about 8 years, so my home page/email/favorites basically haven't changed in that time except for various updates and additions.

I have lots of favorites on my msn home page, and two of them are for my bank -- one favorite is named CommerceTDBank, and the second is named just TDBank -- both favorite links go to the same TD Bank website for secure login -- I've only had the first favorite/CommerceTDBank for about three or four years because that is when I opened the account -- the second favorite/TDBank for about two years --

So I clicked my CommerceTDBank favorite link last night and a "Windows Security" popup asked for my username and password, showing that after I filled in the box it would take me to the linked website -- I immediately used task manager to exit the msn browser and close the popup --

I logged back into msn and opened my favorites -- clicked on half a dozen, including the second TDBank favorite and each one immediately took me to the correct website with no 'Windows Security' popup --

So I tried the first CommerceTDBank favorite again -- got same malware popup 'Windows Security' -- and again used task manager to exit -- logged back on deleted the offending msn favorite -- closed browser -- ran MalwareBytes and then McAffee -- all came up clean -- Turned off restore, used ccleaner, and then restarted machine -- turned restore back on -- logged into msn browser, went to my TDBank site and created a new favorite, which works perfectly --

But here's the deal -- each of my computers has my msn premium installed with the same info, and usually when I change a favorite on one machine, it translates to each of my machines -- But when I opened each of my other machines and clicked on CommerceTDBank favorite, the same malware 'Windows Security' appears -- causing me to scan (each scan comes up clean) and then use ccleaner and clear restore and replace with new favorite link -- All the machines are home networked --

I'm trying to understand how only one favorites link on my msn premium had the 'Windows Security' malware -- and also trying to understand how each machine has the same infected link, especially when nothing shows in a scan --

Bottom line question -- what are the ways I could have gotten an infected msn favorites link?

[TTY]

I don't use msn myself, but if i understand correctly, we're talking about favorites on your personal msn home page, and not about favorites in your browser? Anyway, the safest way to access online banking is to enter the bank's URL manually into the browser's address field every time you want to log in. Then navigate to online banking on the bank's homepage and log in with user name and password. It's not a good idea to trust anybody's website with financial transaction favorites. If you absolutely can't be bothered to enter the bank's URL every time, it might be a better idea to store a bookmark to online banking locally in your browser (on your computer) rather than on the msn website. But even browser bookmarks can probably be manipulated by malware. Therefore, the safest way is to enter the bank's URL by hand every time you need to log in.

[emtee3511]

Thanks very much TTY for that info. I really try to 'safe surf' and I thought
my favorites/bookmarks were safe. I will start putting in URL's by hand on
secure sites from now on.

[ThinkRob]

Always type in your bank's URL manually, and always type the whole thing, including "https". If you don't, and you're at a coffee shop or place with open WiFi, I can trivially intercept your banking session and do as I please with it.

Example:

Don't type:

Code: Select all

bankofamerica.com

Instead, type:

Code: Select all

https://www.bankofamerica.com

[emtee3511]

Thanks ThinkRob -- each little bit of info is making me safer online -- I was just inputting 'mybank'dot com and then clicking on the login icon -- when I put https: // www dot mybank dot com, it took me straight to the login screen --

[ozzymud]

And just to be ultra safe, look for the "lock" or in firefox the secure browsing indicator...

http://www.workingpoint.com/wp-content/ ... _https.jpg

http://www.ghacks.net/wp-content/upload ... 00x154.png

Using bookmarks or just typing bankofamerica.com(which auto redirects to https://www.bankofamerica.com/ in Firefox at least) is fine, as long as you see the https:// in the address bar and the lock and secure browsing indicator before entering any personal info/passwords/etc.

Also keep in mind when using unsecure networks your usage of e-mail and IM, make sure e-mail is either https web based or using an SSL/TLS connection in a stand alone client.

And don't chat about stuff that you don't want people seeing in an IM client without SSL support.

[ThinkRob]

Using bookmarks or just typing bankofamerica.com(which auto redirects to https://www.bankofamerica.com/ in Firefox at least) is fine, as long as you see the https:// in the address bar and the lock and secure browsing indicator before entering any personal info/passwords/etc.

No, it's not. Please ignore the above advice if you want to stay secure.

If you type in "bankofamerica.com", your browser will:

1) Issue a DNS request for the A record of bankofamerica.com.
2) Pick a host from the answer.
3) Make an HTTP request for '/' to the host selected in step #2.

Now often, when there's not a malicious piece of software trying to screw you over, that's fine. Your browser will issue a GET request for / and you'll get back:

Code: Select all

HTTP/1.0 301 Moved Permanently
Location: http://www.bankofamerica.com:
Server: BigIP
Connection: close
Content-Length: 0

No problem there. You'll then resolve the hostname and make a similar request to http://www.bankofamerica.com, and get back another similar redirect to "https://www.bankofamerica.com".

Now as an attacker, this is GREAT. I can attack this in several ways:

1) I can intercept and modify the response to your first DNS query. Your browser will think that I'm "bankofamerica.com", and from then on I've got you.
2) I can intercept and modify the server responses from either bankofamerica.com or http://www.bankofamerica.com. I can return a login page that looks identical to the BoA one -- except instead of submitting your username and password to BoA, it'll submit it to me.
3) I can use something like sslstrip to try to force your browser to submit your credentials in plaintext. This might not be possible depending on your bank's site, but it could well be -- there are some pretty high-profile targets that are vulnerable to this. If this works, you'd never notice anything amiss -- you'd log in and use the site just fine, except you would have exposed your login information to yours truly.

So please, either bookmark "https://www.bankofamerica.com/" or type in the URL that way every time.

Love,
Your Friendly Nitpicking Security Geek

[ThinkRob]

Also, the Firefox indicator that ozzymud linked to will only be displayed for certain SSL-enabled sites, specifically those with "Extended Validation" certificates. It is still possible -- and indeed quite common -- for sites not to have that type of certificate. In those cases, the indicator will look a different (different color, and it will display the hostname), but you will still have your connection protected by SSL.

(As an aside, EV is mainly a money-making ploy for the certificate authorities, so I wouldn't worry too much if your bank doesn't have such a cert.)

[emtee3511]

@ThinkRob "either bookmark "https://www.bankofamerica.com/" or type in the URL that way every time."

That's what confuses me -- my original msn bookmark was for "https://www. with my bank's name .com" -- I still wonder how the https bookmark became attached to the windows security malware -- now I am typing in the "https://www" url -- and again, thank you very much for the 'security geek' info

[ThinkRob]

At the risk of sounding a little too distrusting -- the nuances of conversation are nigh impossible to master on forums -- are you sure that was the URL of the bookmark and not just the title?

If so, I can't imagine why MSE would flag the site.

Semi-related question: what browser do you use?

[emtee3511]

MSE didn't flag the site -- on my.msn, I bookmarked the https url for my bank -- you can actually name the bookmark (msn calls it a favorite) anything you want -- I just named the bookmark my bank's name in my favorites list, but the link is my bank's https login screen -- of course the popup wanted me to input my username and password

Now is where I get fuzzy -- although there was/is no problem with any of my other bookmarks/favorites, (either https bookmarks or http bookmarks) -- when I click this one bookmark, the malware popup named "Windows Security" pops up -- this is not a new bookmark, it is one I have used for about three years --

I am sure I am not explaining this very clearly, but I am still confused as to how this bookmarked link picked up the malware --

I ended up deleting the link and scanning all my computers with Malwarebytes and McAfee -- neither scan picked up anything, but I'm still watching closely for anything else --

I thought I had understood the advice a few posts up that I always had to type in the url -- but then I think it was stated that it is ok to use my msn bookmark/favorite if it is for the https url and not for the http url --

I'm really just trying to understand and use 'best practice' and also am curious about how my bookmark picked up the "Windows Security" malware popup

[emtee3511]

@ThinkRob -- I just noticed your question -- I use Internet Explorer 9

[TTY]

I still wonder how the https bookmark became attached to the windows security malware --

emtee3511, i took a look at the my.msn web page. It seems the web page recognizes individual users through cookies, possibly also through IP addresses. It would be sufficient if someone succeeded in reading the necessary cookies from your computer and then used these cookies for visiting the my.msn.com web page. Because your cookies are being used, the msn server might assume that it's you who are visiting. The perpetrator would be able to alter your favorite's URL, she or he would leave the name of the favorite unchanged. Next time you visit the my.msn.com site and click the online banking link, it doesn't take your browser to the banking site, but to a scam site that asks for the online banking username and password.

Therefore - don't use links to online banking (favorites) that you have stored on someone's website, such as my.msn.com.

Please be aware of the difference between

• favorites stored on the msn web site and
• favorites stored directly in your browser Internet Explorer 9.

To save a favorite directly in your browser, first type the URL in your browser, hit the enter key and wait until the browser displays the web site. Then click the star on the top right in Internet Explorer 9. A menu opens. In that menu, click "add to favorites". Next time you want to go to online banking, click the star in Internet Explorer 9. A menu opens. Click the online banking favorite in that menu.

To keep your computers safe:

Use a firewall. Your router probably has a firewall, Windows also has a firewall. You just need to turn on a firewall.

Use a Windows user account that has limited user privileges for everyday chores. Don't use an administrator account for everyday tasks.

If your email provider doesn't check incoming mails for malware on the mail server, make sure you have an anti virus program that checks incoming emails for malware. Make sure the virus definitions are updated frequently.

Turn on Windows Update, upgrade to Microsoft Update. Both are free. Make Microsoft Update search for updates and install them. Set Microsoft Update to install updates automatically.

Upgrade to the current version of Adobe Reader.

Upgrade to the current version of Adobe Flash Player.

Upgrade to the current version of Java Runtime Environment.

Make sure you have the latest version of your email client.

EDIT: If you're using a wireless network, turn on encryption. I believe WPA2 with a long password is good.

[ThinkRob]

Oh dear.

I didn't realize that when you said "bookmarks" you actually meant a link stored on someone else's server!

Don't do that. That's a bad idea.

Use real browser bookmarks. I'd also recommend switching to a more secure browser such as Chrome or Firefox.

[ozzymud]

@ThinkRob: I still don't see how if i enter bankofamerica.com, and I then see the address bar change to read "https://www.bankofamerica.com" with all visual security identifiers showing an SSL connection, how this is different from bookmarking "https://www.bankofamerica.com"

If Firefox shows I connected to a secure SSL site with that sites address in the address bar what is different here?

[ThinkRob]

@ThinkRob: I still don't see how if i enter bankofamerica.com, and I then see the address bar change to read "https://www.bankofamerica.com" with all visual security identifiers showing an SSL connection, how this is different from bookmarking "https://www.bankofamerica.com"

If Firefox shows I connected to a secure SSL site with that sites address in the address bar what is different here?

Because there are two requests sent from your browser to BoA that are sent in the clear. I could modify either of those, and instead of having it take you to http://www.bankofamerica.com, and later https://www.bankofamerica.com, it could take you to, say, a page that exploits a hole in your browser to deposit a nice malicious bit of code and *then* redirects you to https://www.bankofamerica.com

Again: when you type "bankofamerica.com" into your address bar, at least the first back-and-forth request/response from your machine to the server are unencrypted.

[Colonel O'Neill]

IIRC, there was a prefix or suffix character one could use to prevent a query, and directly head for the domain or something.

[ThinkRob]

IIRC, there was a prefix or suffix character one could use to prevent a query, and directly head for the domain or something.

Yep:

https://www.



(You might be thinking of a dot suffix, such as "www.bankofamerica.com.". That simply prevents resolution of the hostname within other domain, i.e. "www.bankofamerica.com.somethingelse.com" is not a valid answer.)

The problem here isn't that you're not "heading directly for the domain" -- you are indeed contacting BoA on the first request. The problem is that the first request will be sent in the clear, and *that's* the step at which I could modify BoA's response "in flight" as it were.