My father's Ebay account was taken over. We couldn't log on to his account until I reset the password, and there were 5 things listed that he didn't list. Obviously, somebody got ahold of his password. If it weren't for some very nice man in Ontario, Canada, (who wondered why Pennsylvanians who primarly sell football cards were selling computers and asking for payment in British Pounds) we'd be in a little bit of trouble. Thankfully, I know all of dad's personal and financial info, and EBay took care of everything. My father's out of town for several days, so this Canadian guy saved our ass.
How did they get his username/password? He swears that he didn't give the info to anyone, and I checked his email for phishing email scams and the like. I tend to believe him, because he got scammed out of his AOL password about 10 years ago, and never forgot that little lesson.
We use AVG Anti-Virus (scan quite often, always updated), have a software firewall (the built in Windows XP one), and a hardware firewall (our router says it has one built in).
SO, if he didn't stupidly go to some fake website and give his information (there's a possibility that he did and doesn't remember), is there something I should be looking for on the home computer? Like I said, the Virus scanner is always updated, as is the spyware thing, too.
I've been getting more spoof e-mails than ever, some for services I don't even subscribe to.
As of 2/28/05: 101 pounds since December 7, 2004 OFFICIAL THREE-MONTH COUNT: 112 pounds on March 9, 2005 OFFICIAL SIX-MONTH COUNT: 142 pounds on June 8, 2005 OFFICIAL ONE YEAR COUNT: 187 pounds on December 7, 2005 As of February 2, 2006: 197 pounds "I've lost a cruiserweight"
His password was just a random word and some numbers. It wasn't horribly complex, but it wasn't his birthday or username or anything.
That said, I found out that he's used the same username and password combination on at least one message board connected to his business, so maybe there's something there. Could somebody theoretically gain access to that information?
I can't see anything processes running in the background on the task manager that looks suspicious. I've gone over all the processes one by one. Is there any other way to figure out if he's got a keylogger?
You are probably looking for a more step by step answer than this, but this is the best I can offer right now. Read this site, download Rootkit revealer, and check through their forums after you get your results.
As for the password, it is possible that it was gotten from the forum. As you know, we have your username and password here in a database for your account here. If the site owner was abusive of that knowledge, it could be a problem.
I always recommend having an "insecure" password that is used for forums and other non-critical third parties on the web, and a secure password that I only use for banks, taxes, insurance, etc.
You should probably use a different password everywhere, but I can't remember that many passwords. I have problems remembering all of my accounts!
Originally posted by JayJayDeanAre you sure he didn't reply to one?
No. He's been stupid before, but I kind of believe him when he says that he didn't. I checked his emails going back about a month, and he hasn't gotten anything suspicious looking.
Didn't see anything suspicious on the RootKit revealer, but it's hard to do this stuff when the computer is 200 miles away from me. Luckily, other family members (brother in law and sister) are smart enough to install and do stuff for me. Of course, the home phone bill might be a bit high this month.
Not sure how it happened, and we're watching everything carefully now. Dad wants to blow up the home computer and just "buy a damn new one" to be sure, but that seems a bit extreme. My guess is that he either filled out something he shouldn't have, or somebody got ahold of his password from the collector's boards that he frequents, and got lucky when the password matched his Ebay one. I've lectured him, and gave him Guru's advice on secure and unsecure passwords.
EDIT: Looking at service messages received from EBay (change of password notifications, attempted change of email notifications), this guy did all this from IP address 18.104.22.168, which I think is from AOL, which means that it's probably fake or stolen.
Oh, and can I just rant about the fact that EBay has NO phone number you can call? I found their HQ phone number on the SEC website, but nobody was particularly happy to hear my voice at that number, and they wouldn't help me at all. They asked me where I found their number and then basically said that there was nothing they could do. Jerks.
This is super-catchy: http://www.somethingawful.com/articles.php?a=2906 For those that demand an explanation before clicking, it's a short flash movie set to a tune "remixed from actual cigarette commercials."