Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Support > Am I infected (Wachovia Alerts)?

Reply
Thread Tools

Am I infected (Wachovia Alerts)?

 
 
Flycaster
Guest
Posts: n/a
 
      08-27-2006
I use Wachovia banking services. I received this apparent phishing
email. Inadvertently, I clicked on the "Learn and Activate Layerkey
Security" link. When the link opened in my browser (Maxthon), I didn't
not activate Active-X, nor did I make any entries on the website. My
question is: Has a keylogger spy been dropped into my computer (XP with
all security updates, ZoneAlarm Free, AVG Free, Spywareblaster, Windows
Defender, Windows Malicious Software Remover, Adaware SE, Spybot)? All
security programs are updated daily. I ran all of them after I realized
my mistake and none have detected anything suspicious. Furthermore, I
ran Panda and Trend anti-virus free internet scans with nothing showing
up. If there is a keylogger still present on my computer, I'd like to
know its name and how to find it to get rid of it.

The copy of the email below doesn't show it, but the logo looks real and
from "Contact us" to "ONLINE SECURITY NOTIFICATION" are all links.


-------- Original Message --------
Subject: Activate Security Alert for Account Protection
Date: Sun, 20 Aug 2006 10:13:20 +0200
From: Wachovia Alerts <(E-Mail Removed)>
To:



Home
Wachovia logo



Contact Us
24 hours a day
seven days a week
Wachovia Help Center

Related Links
Online Services Center
ONLINE SECURITY NOTIFICATION

Thank you for banking online at wachovia.com. We are constantly working
to increase security for our customers. Now we upgrade our security to
protect and identify in accessing online banking. The LayerKey is New
Wachovia Online Banking Security and free. It is important to recognize
your access and transaction through Wachovia Online Banking. You are
recommended to set up the upgrade security into your online banking.
Please follow the link below to introduce you how the security is working.
Learn and Activate LayerKey Security

We hope you continue to enjoy the convenience and ease of using Wachovia
Online Banking. To respond to this Alert, send a Secure Message by
logging in at wachovia.com and selecting "Send Message". Please do not
"Reply" to this message.

To change or cancel this service, log in to wachovia.com and select
"Alert Summary" in in the Alerts section.

Thank you for subscribing to Wachovia Alerts.


© 2006 Wachovia Corporation, 301 South College Street, Suite 4000, One
Wachovia Center, Charlotte, NC 28288-0013. All Rights Reserved.

Wachovia Bank, N.A. Member FDIC


Inside Wachovia | Privacy | Security | Legal | Merger
--
To email, erase "forgetit"
 
Reply With Quote
 
 
 
 
Flycaster
Guest
Posts: n/a
 
      08-27-2006
This site comments and shows a similar email:

http://www.millersmiles.co.uk/report/3241


Flycaster wrote:
> I use Wachovia banking services. I received this apparent phishing
> email. Inadvertently, I clicked on the "Learn and Activate Layerkey
> Security" link. When the link opened in my browser (Maxthon), I didn't
> not activate Active-X, nor did I make any entries on the website. My
> question is: Has a keylogger spy been dropped into my computer (XP with
> all security updates, ZoneAlarm Free, AVG Free, Spywareblaster, Windows
> Defender, Windows Malicious Software Remover, Adaware SE, Spybot)? All
> security programs are updated daily. I ran all of them after I realized
> my mistake and none have detected anything suspicious. Furthermore, I
> ran Panda and Trend anti-virus free internet scans with nothing showing
> up. If there is a keylogger still present on my computer, I'd like to
> know its name and how to find it to get rid of it.
>
> The copy of the email below doesn't show it, but the logo looks real and
> from "Contact us" to "ONLINE SECURITY NOTIFICATION" are all links.
>
>
> -------- Original Message --------
> Subject: Activate Security Alert for Account Protection
> Date: Sun, 20 Aug 2006 10:13:20 +0200
> From: Wachovia Alerts <(E-Mail Removed)>
> To:
>
>
>
> Home
> Wachovia logo
>
>
>
> Contact Us
> 24 hours a day
> seven days a week
> Wachovia Help Center
>
> Related Links
> Online Services Center
> ONLINE SECURITY NOTIFICATION
>
> Thank you for banking online at wachovia.com. We are constantly working
> to increase security for our customers. Now we upgrade our security to
> protect and identify in accessing online banking. The LayerKey is New
> Wachovia Online Banking Security and free. It is important to recognize
> your access and transaction through Wachovia Online Banking. You are
> recommended to set up the upgrade security into your online banking.
> Please follow the link below to introduce you how the security is working.
> Learn and Activate LayerKey Security
>
> We hope you continue to enjoy the convenience and ease of using Wachovia
> Online Banking. To respond to this Alert, send a Secure Message by
> logging in at wachovia.com and selecting "Send Message". Please do not
> "Reply" to this message.
>
> To change or cancel this service, log in to wachovia.com and select
> "Alert Summary" in in the Alerts section.
>
> Thank you for subscribing to Wachovia Alerts.
>
>
> © 2006 Wachovia Corporation, 301 South College Street, Suite 4000, One
> Wachovia Center, Charlotte, NC 28288-0013. All Rights Reserved.
>
> Wachovia Bank, N.A. Member FDIC
>
>
> Inside Wachovia | Privacy | Security | Legal | Merger



--
To email, erase "forgetit"
 
Reply With Quote
 
 
 
 
Beauregard T. Shagnasty
Guest
Posts: n/a
 
      08-27-2006
Flycaster wrote:

> I use Wachovia banking services. I received this apparent phishing
> email. Inadvertently, I clicked on the "Learn and Activate Layerkey
> Security" link.


...which you did not include (the actual URL). Seeing it would be a great
help in answering your question.

<snip>
> The copy of the email below doesn't show it, but the logo looks real and
> from "Contact us" to "ONLINE SECURITY NOTIFICATION" are all links.
>
> -------- Original Message --------
> Subject: Activate Security Alert for Account Protection
> Date: Sun, 20 Aug 2006 10:13:20 +0200
> From: Wachovia Alerts <(E-Mail Removed)>
> To:


The full headers would also probably help.

> Home
> Wachovia logo <--- easily spoofed
>
>
>
> Contact Us
> 24 hours a day
> seven days a week
> Wachovia Help Center
>
> Related Links
> Online Services Center
> ONLINE SECURITY NOTIFICATION
>
> Thank you for banking online at wachovia.com. We are constantly working
> to increase security for our customers. Now we upgrade our security to
> protect and identify in accessing online banking. The LayerKey is New
> Wachovia Online Banking Security and free. It is important to recognize
> your access and transaction through Wachovia Online Banking. You are
> recommended to set up the upgrade security into your online banking.
> Please follow the link below to introduce you how the security is working.
> Learn and Activate LayerKey Security


Apparently this is the text version of the email. Look in the HTML
version (by viewing source) to see what the link *really* is.

> We hope you continue to enjoy the convenience and ease of using Wachovia
> Online Banking. To respond to this Alert, send a Secure Message by
> logging in at wachovia.com and selecting "Send Message". Please do not
> "Reply" to this message.


While this requests you log in to their site to respond, we still can't
tell without seeing the actual source of the email.

<snip rest>

--
-bts
-Motorcycles defy gravity; cars just suck.
 
Reply With Quote
 
Flycaster
Guest
Posts: n/a
 
      08-27-2006
Here's the actual link to "Learn and Activate LayerKey Security." This
is the link that I opened in Maxthon, but didn't activate Active-X, nor
did I make any entries. Can you tell if this was enough to place a
keylogger onto my computer? Wachovia said that it was, but I'm not so
sure. I'll be talking to their IT people on Monday (I hope), but would
like to clear this up asap.

http://wachoviaonline.notlong.com/au...ion=returnHome


Beauregard T. Shagnasty wrote:
> Flycaster wrote:
>
>> I use Wachovia banking services. I received this apparent phishing
>> email. Inadvertently, I clicked on the "Learn and Activate Layerkey
>> Security" link.

>
> ..which you did not include (the actual URL). Seeing it would be a great
> help in answering your question.
>
> <snip>
>> The copy of the email below doesn't show it, but the logo looks real and
>> from "Contact us" to "ONLINE SECURITY NOTIFICATION" are all links.
>>
>> -------- Original Message --------
>> Subject: Activate Security Alert for Account Protection
>> Date: Sun, 20 Aug 2006 10:13:20 +0200
>> From: Wachovia Alerts <(E-Mail Removed)>
>> To:

>
> The full headers would also probably help.
>
>> Home
>> Wachovia logo <--- easily spoofed
>>
>>
>>
>> Contact Us
>> 24 hours a day
>> seven days a week
>> Wachovia Help Center
>>
>> Related Links
>> Online Services Center
>> ONLINE SECURITY NOTIFICATION
>>
>> Thank you for banking online at wachovia.com. We are constantly working
>> to increase security for our customers. Now we upgrade our security to
>> protect and identify in accessing online banking. The LayerKey is New
>> Wachovia Online Banking Security and free. It is important to recognize
>> your access and transaction through Wachovia Online Banking. You are
>> recommended to set up the upgrade security into your online banking.
>> Please follow the link below to introduce you how the security is working.
>> Learn and Activate LayerKey Security

>
> Apparently this is the text version of the email. Look in the HTML
> version (by viewing source) to see what the link *really* is.
>
>> We hope you continue to enjoy the convenience and ease of using Wachovia
>> Online Banking. To respond to this Alert, send a Secure Message by
>> logging in at wachovia.com and selecting "Send Message". Please do not
>> "Reply" to this message.

>
> While this requests you log in to their site to respond, we still can't
> tell without seeing the actual source of the email.
>
> <snip rest>
>



--
To email, erase "forgetit"
 
Reply With Quote
 
Mike Easter
Guest
Posts: n/a
 
      08-27-2006
Flycaster wrote:
User-Agent: Thunderbird 1.5.0.5 (Windows/20060719)

Your newsagent is Tbird, presumably your mailuseragent mua is too.

> I received this apparent phishing
> email.


But you are showing us the rendered html. That isn't useful for
accessing the page which is in the link which renders as 'Learn and
Activate LayerKey Security'. Whenever we are discussing spam/phish the
important elements are generally the complete headers and the unrendered
or raw spambody, which actually shouldn't be displayed in a newsgroup
like this.

For discussing spam/phish it is better to display the raw spam elsewhere
and make a link to it and discuss it in a discussion group like this or
some other. Raw spam can be displayed in the newsgroup
news.admin.net-abuse.sightings, the guidelines for posting are here
http://www.killfile.org/~tskirvin/faqs/nanas.html NANAS FAQ

There are other methods, posting it on a website in raw form,
registering to be a spamcop reporter and feeding it to the parser and
copying the parser's tracking url.

What you would post in one of those places is accessed in Tbird by using
its ctrl-U function which is View menu/ Message source item.

> Inadvertently, I clicked on the "Learn and Activate Layerkey
> Security" link.


You shouldn't be getting spam/phish in your Inbox with goodmail in the
first place. You shouldn't be opening spam/phish in the 2nd place. You
shouldn't be clicking on spamphish links in the 3rd place. If your mail
management were being handled correctly, this would never have happened
'inadvertently' or otherwise.

> When the link opened in my browser (Maxthon), I
> didn't not activate Active-X, nor did I make any entries on the
> website.


Depending upon your insecurities, there are sometimes problems which
begin when you open the mail before you start clicking on bad things.

> My question is: Has a keylogger spy been dropped into my
> computer


Probably not, but that is impossible to tell from here.

> scans with nothing showing up. If there is a keylogger
> still present on my computer, I'd like to know its name and how to
> find it to get rid of it.


Of course you would.

> The copy of the email below doesn't show it,


The rendered html is useless for this discussion except to show what was
seen when rendered, which is just the phishing words.


--
Mike Easter

 
Reply With Quote
 
Beauregard T. Shagnasty
Guest
Posts: n/a
 
      08-27-2006
Flycaster wrote:

> Here's the actual link to "Learn and Activate LayerKey Security." ..
>
> hxxp://wachoviaonline.notlong.com/


See? There is your answer. notlong.com ? <har!>

Oh, I just saw your other post. Don't change the subject line; it makes
it appear as a new thread, unrelated to this one.

--
-bts
-Motorcycles defy gravity; cars just suck.
 
Reply With Quote
 
Mike Easter
Guest
Posts: n/a
 
      08-27-2006
Flycaster wrote:
> Here's the actual link to "Learn and Activate LayerKey Security."
> This is the link that I opened in Maxthon, but didn't activate
> Active-X, nor did I make any entries. Can you tell if this was
> enough to place a keylogger onto my computer? Wachovia said that it
> was, but I'm not so sure. I'll be talking to their IT people on
> Monday (I hope), but would like to clear this up asap.
>
>

http://wachoviaonline.notlong.com/au...ion=returnHome

That link is now redirecting to
http://www.r2convergence.com/website...ion=returnHome
....

wachoviaonline.notlong.com is 206.111.205.169 and getting its
nameservice from
ns.level22.com A (Address) 206.111.205.169

The webserver at that IP is handling 28 other domainnames [more or
less], one of which is level22.com

and the domain registration for both at dotster is concealed by the same
privacy service information.

I can't see what was going on at the webpage that you accessed with your
browser then now


--
Mike Easter

 
Reply With Quote
 
Flycaster
Guest
Posts: n/a
 
      08-27-2006
I do appreciate your efforts in trying to help me, but you are obviously
much more advanced than I can quite comprehend. Do you think that you
could dummy things down a bit and guide me as to what I should do in a
more simplified manner?

Mike Easter wrote:
> Flycaster wrote:
> User-Agent: Thunderbird 1.5.0.5 (Windows/20060719)
>
> Your newsagent is Tbird, presumably your mailuseragent mua is too.
>
>> I received this apparent phishing
>> email.

>
> But you are showing us the rendered html. That isn't useful for
> accessing the page which is in the link which renders as 'Learn and
> Activate LayerKey Security'. Whenever we are discussing spam/phish the
> important elements are generally the complete headers and the unrendered
> or raw spambody, which actually shouldn't be displayed in a newsgroup
> like this.
>
> For discussing spam/phish it is better to display the raw spam elsewhere
> and make a link to it and discuss it in a discussion group like this or
> some other. Raw spam can be displayed in the newsgroup
> news.admin.net-abuse.sightings, the guidelines for posting are here
> http://www.killfile.org/~tskirvin/faqs/nanas.html NANAS FAQ
>
> There are other methods, posting it on a website in raw form,
> registering to be a spamcop reporter and feeding it to the parser and
> copying the parser's tracking url.
>
> What you would post in one of those places is accessed in Tbird by using
> its ctrl-U function which is View menu/ Message source item.
>
>> Inadvertently, I clicked on the "Learn and Activate Layerkey
>> Security" link.

>
> You shouldn't be getting spam/phish in your Inbox with goodmail in the
> first place. You shouldn't be opening spam/phish in the 2nd place. You
> shouldn't be clicking on spamphish links in the 3rd place. If your mail
> management were being handled correctly, this would never have happened
> 'inadvertently' or otherwise.
>
>> When the link opened in my browser (Maxthon), I
>> didn't not activate Active-X, nor did I make any entries on the
>> website.

>
> Depending upon your insecurities, there are sometimes problems which
> begin when you open the mail before you start clicking on bad things.
>
>> My question is: Has a keylogger spy been dropped into my
>> computer

>
> Probably not, but that is impossible to tell from here.
>
>> scans with nothing showing up. If there is a keylogger
>> still present on my computer, I'd like to know its name and how to
>> find it to get rid of it.

>
> Of course you would.
>
>> The copy of the email below doesn't show it,

>
> The rendered html is useless for this discussion except to show what was
> seen when rendered, which is just the phishing words.
>
>



--
To email, erase "forgetit"
 
Reply With Quote
 
Mike Easter
Guest
Posts: n/a
 
      08-27-2006
Flycaster wrote:
> I do appreciate your efforts in trying to help me, but you are
> obviously much more advanced than I can quite comprehend. Do you
> think that you could dummy things down a bit and guide me as to what
> I should do in a more simplified manner?


To show/see a spam source use ctrl-U in Tbird - that gives complete
headers and unrendered html.

Don't post complete raw html spam in this ng, post it in sightings
according to this faq http://www.killfile.org/~tskirvin/faqs/nanas.html
and then we can see the whole thing if you give an access like a message
id. In this case you have already posted the important info for your
question, namely the link in its unrendered condition.

Configure your system so that such spam/phish doesn't get into your
Inbox in the first place so that you won't see it or handle it without
already knowing that it is spam. A good spamfilter tagger is SpamPal at
http://spampal.org SpamPal is a mail classification program that can
help separate your spam from the mail you really want to read.

Another issue is how to carry on a conversation in a ng by attributing,
citing, trimming, and contextualizing
http://members.fortunecity.com/nnqweb/nquote.html Quoting Style in
Newsgroup Postings

And, if you read the links I post, they will explain things in more
detail. You need more detail not less. That way you can smart up
instead of dumbing something down.


--
Mike Easter

 
Reply With Quote
 
Meat Plow
Guest
Posts: n/a
 
      08-28-2006
On Sun, 27 Aug 2006 10:59:28 -0700, Mike Easter Has Frothed:

> Flycaster wrote:
>> I do appreciate your efforts in trying to help me, but you are obviously
>> much more advanced than I can quite comprehend. Do you think that you
>> could dummy things down a bit and guide me as to what I should do in a
>> more simplified manner?

>
> To show/see a spam source use ctrl-U in Tbird - that gives complete
> headers and unrendered html.
>
> Don't post complete raw html spam in this ng, post it in sightings
> according to this faq http://www.killfile.org/~tskirvin/faqs/nanas.html
> and then we can see the whole thing if you give an access like a message
> id. In this case you have already posted the important info for your
> question, namely the link in its unrendered condition.
>
> Configure your system so that such spam/phish doesn't get into your Inbox
> in the first place so that you won't see it or handle it without already
> knowing that it is spam. A good spamfilter tagger is SpamPal at
> http://spampal.org SpamPal is a mail classification program that can help
> separate your spam from the mail you really want to read.
>
> Another issue is how to carry on a conversation in a ng by attributing,
> citing, trimming, and contextualizing
> http://members.fortunecity.com/nnqweb/nquote.html Quoting Style in
> Newsgroup Postings
>
> And, if you read the links I post, they will explain things in more
> detail. You need more detail not less. That way you can smart up instead
> of dumbing something down.


You know what, go **** yourself you condescending prick. I thought the OP
did just fine. It's you who needs to smart up as you put it.

--

Pierre Salinger Memorial Hook, Line & Sinker, June 2004
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PC could be infected without opening an infected mail?! Doug Fox Computer Security 10 02-28-2004 09:32 PM
How do you know you didn't get infected by Swen? wylbur37 Computer Support 28 11-28-2003 07:25 AM
WUPDTMGR.EXE infected says McAfee? Fatfreek Computer Support 3 11-18-2003 02:57 AM
Re: What is infected file EGDHTML_1017.dll? °Mike° Computer Support 4 08-16-2003 11:35 PM
Re: Windows registry infected? JM Computer Support 0 07-10-2003 08:19 AM



Advertisments