Last Friday while doing some online banking, I noticed two transactions I'd made recently, one a withdrawal and the other a deposit. The transaction amounts were accurate, and so were the dates. The records even referenced a phone number -- complete with a hyperlink -- that I could click on to make a Skype call to that number.
The only problem was that the records stated that the transactions had taken place in the United Kingdom. I haven't been to the U.K. In fact, both transactions were made at the same Chase ATM in a Dominick's store in Oswego, Illinois.
I called Chase customer service and explained the situation to a customer service rep, who was equally puzzled about what was going on. She accessed my account and assured me she didn't see the U.K. references I could see on my computer. She asked me for a screen shot, which I e-mailed to her so she could verify what was going on. After taking a look at my screen grab, she expressed bafflement, urged me not to click on any links on my screen and transferred me to another rep. He, too was unable to explain what was going on, but assured me that my account didn't appear to be compromised. He told me to change my username and password, offered to cancel my debit card if I wanted to, and gave me his direct line in case I noticed anything else weird.
Changing my username and password made no difference. Then, I did a little checking -- and found that the only time the transactions showed up weirdly was when I used Internet Explorer 7. The screen sort of briefly flickered after I'd logged in and a number with a +44 country code for Great Britain and a hyperlinked "Call" appeared under each of the two transactions.
When I logged in with Firefox, the transactions looked just like every other record, showing the date, the kind of transaction (ATM withdrawal or deposit or point-of-sale) and a reference number. I accessed the account from another computer, first using IE 6 and then using Firefox and everything appeared to be in order.
By now I was thinking maybe the first computer had been infected by a nasty Trojan exploiting an IE7 vulnerability to inject its own code into the bank's traffic and display it on my browser. I also wondered how a seemingly secure banking transaction at one of the largest banks in the U.S. could be co-opted this way. No doubt, with more and more people scrutinizing their online accounts in the wake of a rash of data breaches, I'm not alone in trying to spot anomalies.
Unlike most people, however, I'm regularly in touch with security researchers, so I called several and explained my plight. Their guess: My computer might have indeed been compromised; what I was seeing could well be a classic man-in-the-middle attack or a phishing handoff.
Don Jackson, a security researcher at SecureWorks, told me that several Trojans are floating around online that do just what I had described. The attacks usually target IE. Such Trojans usually hook into browser and network code then install themselves as a browser helper object or as a layered service provider that intercepts network traffic -- even traffic protected by SSL encryption, he said. The Trojans are programmed to do a "find and replace" function for certain transaction details such as destination routing and account numbers. Sources are often changed to hide the activity from the victim or to defeat bank-end fraud-detection mechanisms.
"Often, these find-and-replace functions are custom-coded modules that are developed by the bad guys and downloaded to an existing Trojan infection," Jackson said. The Trojans are designed to capture logs and to reverse-engineer the transaction used by a bank's online applications to find out what data to change to funnel money to themselves. One example of this kind of a Trojan is Torpig, which has mainly targeted customers of European banks but has started to target U.S. bank customers. Another example is called Sinowall.