Rogue hosts walaying genuine ones

Discussion in 'Internet Explorer' started by P. Jayant, May 27, 2010.

  1. P. Jayant

    P. Jayant Guest

    I have been using the web-site of the State Bank of India
    (www.onlinesbi.com) for over five years to log-in and pay various bills like
    those of the electricity company or the DTH Operator. For the last three
    months, however, I have had to change over to the Internet Banking service
    of another bank where also I have an account, just because the moment I
    enter the onlinesbi address and press enter, a rogue service provider with
    the address sbionline.co.in opens up and offers to pay my bills for anything
    I need from Real Estate and Jewellery to household appliances and gadgets.
    It even presents me a page to enter my username and password just the way
    the State Bank of India does. If ever I am inattentive and enter those
    details I use for the S B I account, the rogue asks me to fill up a detailed
    form of information about my ancestry, current style of living etc. This is
    obviously, a phishing racket.
    But how do I get rid of it and get to the genuine host I want? I tried the
    instructions given in a Microsoft guide
    http://www.microsoft.com/windows/ie/community/columns/ietopten.mspx which is
    meant for the Error message "the web page could not be displayed" but deals
    with rogue hosts. But when I checked in the Windows\system32\drivers\hosts
    folder, I did not find any rogue host to put a cross at the start or the end
    of its name.

    Are there any other ways of stopping the rogue hosts? Is there any authority
    apart from S B I themselves who could take action on such rogues? How does
    one report these violations to them?

    P. Jayant
    P. Jayant, May 27, 2010
    #1
    1. Advertising

  2. P. Jayant

    VanguardLH Guest

    P. Jayant wrote:

    > I have been using the web-site of the State Bank of India
    > (www.onlinesbi.com) for over five years to log-in and pay various bills like
    > those of the electricity company or the DTH Operator. For the last three
    > months, however, I have had to change over to the Internet Banking service
    > of another bank where also I have an account, just because the moment I
    > enter the onlinesbi address and press enter, a rogue service provider with
    > the address sbionline.co.in opens up and offers to pay my bills for anything
    > I need from Real Estate and Jewellery to household appliances and gadgets.
    > It even presents me a page to enter my username and password just the way
    > the State Bank of India does. If ever I am inattentive and enter those
    > details I use for the S B I account, the rogue asks me to fill up a detailed
    > form of information about my ancestry, current style of living etc. This is
    > obviously, a phishing racket.
    > But how do I get rid of it and get to the genuine host I want? I tried the
    > instructions given in a Microsoft guide
    > http://www.microsoft.com/windows/ie/community/columns/ietopten.mspx which is
    > meant for the Error message "the web page could not be displayed" but deals
    > with rogue hosts. But when I checked in the Windows\system32\drivers\hosts
    > folder, I did not find any rogue host to put a cross at the start or the end
    > of its name.
    >
    > Are there any other ways of stopping the rogue hosts? Is there any authority
    > apart from S B I themselves who could take action on such rogues? How does
    > one report these violations to them?
    >
    > P. Jayant


    Use a shortcut to eliminate the user blunders of entering the wrong URL
    at a later time.

    If you are using the correct URL but ending up at a different site then
    contact your ISP or whomever's DNS server you are using and inform them
    that their DNS server may be poisoned. Until then, you could specify
    the IP address of the site as the URL in a shortcut instead of using a
    hostname that requires a DNS lookup. If your DNS provider continues to
    remain poisoned then you'll have to use someone else's, like OpenDNS.

    A hostname not listed in the 'hosts' file is not the only means of
    getting redirected to a phishing site. You might be infected with
    malware.
    VanguardLH, May 27, 2010
    #2
    1. Advertising

  3. P. Jayant

    P. Jayant Guest

    Re: Rogue hosts waylaying genuine ones

    Sorry I forgot to mention:
    1) I am using Windows XP/SP3
    2) my browser is Internet explorer 8 and
    3) The Phishing filter is ON


    P. Jayant
    P. Jayant, May 27, 2010
    #3
  4. Re: Rogue hosts waylaying genuine ones

    There is a very good chance that you are seeing the effects of a hijackware
    infection!

    NB: If you had no anti-virus application installed or the subscription had
    expired *when the machine first got infected* and/or your subscription has
    since expired and/or the machine's not been kept fully-patched at Windows
    Update, don't waste your time with any of the below: Format & reinstall
    Windows. A Repair Install will NOT help!

    Microsoft PCSafety provides home users (only) with no-charge support in
    dealing with malware infections such as viruses, spyware (including unwanted
    software), and adware.
    https://support.microsoft.com/oas/default.aspx?&prid=7552&st=1

    Also available via the Consumer Security Support home page:
    https://consumersecuritysupport.microsoft.com/

    Otherwise...

    1. See if you can download/run the MSRT manually:
    http://www.microsoft.com/security/malwareremove/default.mspx

    NB: Run the FULL scan, not the QUICK scan! You may need to download the
    MSRT on a non-infected machine, then transfer MRT.EXE to the infected
    machine and rename it to SCAN.EXE before running it.

    2a. WinXP => Run the Windows Live Safety Center's 'Protection' scan (only!)
    in Safe Mode with Networking, if need be:
    http://onecare.live.com/site/en-us/center/howsafe.htm

    2b. Vista or Win7=> Run this scan instead:
    http://onecare.live.com/site/en-us/center/whatsnew.htm

    3. Now run a thorough check for hijackware, including posting requested logs
    in an appropriate forum, not here. DO NOT SKIP THIS STEP!!

    I can recommend the expert assistance offered in these forums:
    http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
    http://www.spywarewarrior.com/viewforum.php?f=5,
    http://www.dslreports.com/forum/cleanup,
    http://www.bluetack.co.uk/forums/index.php, and
    http://aumha.net/viewforum.php?f=30


    P. Jayant wrote:
    > Sorry I forgot to mention:
    > 1) I am using Windows XP/SP3
    > 2) my browser is Internet explorer 8 and
    > 3) The Phishing filter is ON

    <paste>
    > I have been using the web-site of the State Bank of India
    > (www.onlinesbi.com) for over five years to log-in and pay various bills
    > like
    > those of the electricity company or the DTH Operator. For the last three
    > months, however, I have had to change over to the Internet Banking service
    > of another bank where also I have an account, just because the moment I
    > enter the onlinesbi address and press enter, a rogue service provider with
    > the address sbionline.co.in opens up and offers to pay my bills for
    > anything
    > I need from Real Estate and Jewellery to household appliances and gadgets.

    <blithersnippage>
    PA Bear [MS MVP], May 27, 2010
    #4
  5. P. Jayant

    Bob Lucas Guest

    This comment is in addition to all of the other replies.

    I am concerned that you have probably entered your on-line
    banking user name and password on a phishing website. I strongly
    recommend you use a different computer (from an Internet cafe,
    perhaps) to sign into your on-line banking account. Then, you
    MUST change your password immediately. Otherwise, the fraudsters
    will have access to all the money in your account.

    If you cannot access the account, telephone your bank and ask
    them to change your password.

    I hope this advice is not too late.


    "P. Jayant" <> wrote in message
    news:OrtmgzU$...
    > I have been using the web-site of the State Bank of India
    > (www.onlinesbi.com) for over five years to log-in and pay
    > various bills like those of the electricity company or the DTH
    > Operator. For the last three months, however, I have had to
    > change over to the Internet Banking service of another bank
    > where also I have an account, just because the moment I enter
    > the onlinesbi address and press enter, a rogue service provider
    > with the address sbionline.co.in opens up and offers to pay my
    > bills for anything I need from Real Estate and Jewellery to
    > household appliances and gadgets. It even presents me a page to
    > enter my username and password just the way the State Bank of
    > India does. If ever I am inattentive and enter those details I
    > use for the S B I account, the rogue asks me to fill up a
    > detailed form of information about my ancestry, current style
    > of living etc. This is obviously, a phishing racket.
    > But how do I get rid of it and get to the genuine host I want?
    > I tried the instructions given in a Microsoft guide
    > http://www.microsoft.com/windows/ie/community/columns/ietopten.mspx
    > which is meant for the Error message "the web page could not be
    > displayed" but deals with rogue hosts. But when I checked in
    > the Windows\system32\drivers\hosts folder, I did not find any
    > rogue host to put a cross at the start or the end of its name.
    >
    > Are there any other ways of stopping the rogue hosts? Is there
    > any authority apart from S B I themselves who could take action
    > on such rogues? How does one report these violations to them?
    >
    > P. Jayant
    >
    Bob Lucas, May 27, 2010
    #5
  6. P. Jayant

    Dan Guest

    "P. Jayant" <> wrote in message
    news:OrtmgzU$...
    > I have been using the web-site of the State Bank of India
    > (www.onlinesbi.com) for over five years to log-in and pay various bills
    > like those of the electricity company or the DTH Operator. For the last
    > three months, however, I have had to change over to the Internet Banking
    > service of another bank where also I have an account, just because the
    > moment I enter the onlinesbi address and press enter, a rogue service
    > provider with the address sbionline.co.in opens up and offers to pay my
    > bills for anything I need from Real Estate and Jewellery to household
    > appliances and gadgets. It even presents me a page to enter my username
    > and password just the way the State Bank of India does. If ever I am
    > inattentive and enter those details I use for the S B I account, the rogue
    > asks me to fill up a detailed form of information about my ancestry,
    > current style of living etc. This is obviously, a phishing racket.
    > But how do I get rid of it and get to the genuine host I want? I tried the
    > instructions given in a Microsoft guide
    > http://www.microsoft.com/windows/ie/community/columns/ietopten.mspx which
    > is meant for the Error message "the web page could not be displayed" but
    > deals with rogue hosts. But when I checked in the
    > Windows\system32\drivers\hosts folder, I did not find any rogue host to
    > put a cross at the start or the end of its name.
    >
    > Are there any other ways of stopping the rogue hosts? Is there any
    > authority apart from S B I themselves who could take action on such
    > rogues? How does one report these violations to them?
    >
    > P. Jayant
    >


    It depends on how deeply it's in the system, but you may find that
    Malwarebytes Anti-Malware from http://www.malwarebytes.org/ may clear this
    out, just try the free version. However, if it's like one of the systems I
    had to clear recently that has this embedded right down as a rootkit with
    boot sector code then it'll be a tedious job to remove, I'd only recommend
    this for someone who is happy to run Combofix and go through all the
    required steps (so far I haven't had a single system not get cleaned with
    this).

    I'd also second Bob's reply - if you've already entered some of the details
    including your password get onto your bank and let them know, and get your
    password changed (and login name/id if possible) as well as any other
    secondary password/PIN that they use to identify you, and if you have no
    other PC to use that you know is clean then also ask them to suspend your
    online banking while you sort out your PC.

    The only sure way to get rid of something like this is a reformat and
    reinstall, however I would suggest that if you do this that you maybe use a
    low level format utility from the hard disk manufacturer first as otherwise
    you risk the malware installer being executed once Windows has been
    reinstalled if it's in the boot sector of the disk.

    Reporting violations is often a waste of time, especially as sbionline.co.in
    is located in Germany and the IP is owned by PlusLine Systemhaus GmbH so
    your bank could likely do nothing anyway. With one of the recent infections
    I've cleaned up I reported the phishing site to both the bank concerned (in
    the UK) and the company in the US who run the datacentre where the rogue
    site is hosted, the bank simply said there was nothing they could do and the
    hosting company never replied and simply closed the real time chat windows I
    used for technical support, and the rogue was still up and running weeks
    later and is probably still there.

    --
    Dan
    Dan, May 27, 2010
    #6
  7. P. Jayant

    Rob Guest

    Bob Lucas <> wrote:
    > I am concerned that you have probably entered your on-line
    > banking user name and password on a phishing website. I strongly
    > recommend you use a different computer (from an Internet cafe,
    > perhaps) to sign into your on-line banking account. Then, you
    > MUST change your password immediately. Otherwise, the fraudsters
    > will have access to all the money in your account.


    It must be quite a stupid and insecure bank when they allow access
    to all the money in your account with only a username and password...

    Which reputable bank would ever allow such an insecure web access??
    Rob, May 27, 2010
    #7
  8. P. Jayant

    Tom Willett Guest

    :
    : It must be quite a stupid and insecure bank when they allow access
    : to all the money in your account with only a username and password...
    :
    : Which reputable bank would ever allow such an insecure web access??

    Hear! Hear!

    I have to take about 5 steps to log in to mine.
    Tom Willett, May 27, 2010
    #8
  9. P. Jayant

    Bob Lucas Guest

    Quite right. Unfortunately, I cannot comment upon the adequacy
    of the security procedures adopted by Indian banks.

    I hope the bank's security procedures will be sufficiently robust
    to thwart any attempted fraud. However, don't forget that in his
    original posting, the OP stated that the website asked him to
    "fill up a detailed form of information about his ancestry,
    current style of living etc". It follows that the fraudsters
    were probably trying to harvest sufficient information to access
    the account.

    Even if the OP did not disclose any personal info., I stand by my
    previous advice that he should change his password (plus any
    secret security questions and answers) without delay. Better
    safe than sorry!


    "Tom Willett" <> wrote in message
    news:#iCErmc$...
    >
    >
    > :
    > : It must be quite a stupid and insecure bank when they allow
    > access
    > : to all the money in your account with only a username and
    > password...
    > :
    > : Which reputable bank would ever allow such an insecure web
    > access??
    >
    > Hear! Hear!
    >
    > I have to take about 5 steps to log in to mine.
    >
    >
    >
    Bob Lucas, May 27, 2010
    #9
  10. P. Jayant

    P. Jayant Guest

    No. I did not enter my Username and password. I only mentioned that the
    rogue put up a page identical to that of the bank asking me to enter those
    details. I promptly knew it was a phishing attempt.

    P. Jayant
    P. Jayant, May 28, 2010
    #10
  11. P. Jayant

    P. Jayant Guest

    My Anti-Virus software is QuickHeal. I have done the root natural Windows
    scan and QuickHeal has cleaned up the system. It is working O K now. Thanks
    for all the comments made by various correspondents.

    P. Jayant
    P. Jayant, May 28, 2010
    #11
  12. P. Jayant

    Dan Guest

    "P. Jayant" <> wrote in message
    news:#sbYIOi$...
    > My Anti-Virus software is QuickHeal. I have done the root natural Windows
    > scan and QuickHeal has cleaned up the system. It is working O K now.
    > Thanks for all the comments made by various correspondents.
    >
    > P. Jayant


    Given the very poor reviews of Quick Heal I've just been skimming through
    I'd suggest you get a decent anti-virus, and also run Malwarebytes that I'd
    already suggested.

    And if the infection is installed at the boot sector then a root kit scan
    won't fit it anyway, as a root kit is something else entirely - some of
    these infections go as far as being able to block them being scanned from
    within Windows and require a much more low level scan technique to find and
    disable them.

    --
    Dan
    Dan, May 28, 2010
    #12
  13. P. Jayant

    Twayne Guest

    In news:%23iCErmc$,
    Tom Willett <> typed:
    >> It must be quite a stupid and insecure bank when they
    >> allow access to all the money in your account with only a
    >> username and password...
    >>
    >> Which reputable bank would ever allow such an insecure web
    >> access??

    >
    > Hear! Hear!
    >
    > I have to take about 5 steps to log in to mine.


    That's not the point, really; he said he gave out a lot of info previously,
    I think and that might be enough for a dozen steps or one, who knows? The
    advice to go to call his bank and change his password was excellent, whether
    it's necessary or not because its exposure is an unknown. I'd then find
    another computer somehow and do a test access to be sure he still had
    access.
    He should also be able to put a sort of "alert" on his accounts if the
    bank offeres it.

    Most banks allow online wire transfers; that's one way the money could leave
    the bank unbeknownst to him. And until it's straightened out, if he's still
    not sure, he should close/reopen other accounts under another name and
    password, and reinstall his system from scratch.

    There's more, but that's the important stuff; then go on to figure out
    what's up with DNS, etc.. The bank should be all over this one for him; if
    not, it's time for another bank.

    HTH,

    Twayne`
    Twayne, May 28, 2010
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. FawD45212

    Rogue Spear

    FawD45212, Jul 4, 2007, in forum: Windows Vista Games
    Replies:
    1
    Views:
    617
    LEEPONG
    Apr 2, 2009
  2. Jose

    A "genuine" Vista losses registration and becomes "not genuine"

    Jose, Mar 11, 2008, in forum: Windows Vista General Discussion
    Replies:
    38
    Views:
    823
    Steven Wabik
    Jul 28, 2008
  3. Tom Kustner
    Replies:
    11
    Views:
    307
    Ghostrider
    Jun 7, 2006
  4. Paul
    Replies:
    3
    Views:
    391
    Robin Walker [MVP]
    Jun 12, 2006
  5. Ajay
    Replies:
    2
    Views:
    1,878
    rooyevaar
    May 7, 2012
Loading...

Share This Page