We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
lloydsTSB enter full memorable info now?
Options
Comments
-
longforgotten wrote: »I've got this now, but with four boxes :eek:
Just logged into mine - definitely still only 3 boxes. Be careful, hope you didn't get there via a link.
Geoff0 -
Geoffo, how come you've got three boxes. I only ever had two then got sent off to another page to then use the mouse to include more info
Anybody else seeing four boxes on the log in page ?0 -
longforgotten wrote: »Geoffo, how come you've got three boxes. I only ever had two then got sent off to another page to then use the mouse to include more info
Anybody else seeing four boxes on the log in page ?
Same as always here...
Two boxes asking for User ID & Password then sent off to another page to enter 3 characters from your Memorable Information using the mouseNever let the perfume of the premium overpower the odour of the risk0 -
Had this problem too, turned out to be a trojan that Adaware and AVG didnt spot. The only free programs I found that got rid of it were SpyBot and hijackthis. Remember to set Spybot to run a full scan on computer startup. Performing a Spybot scan once the computer is up and running is a waste of time, it will recognise the trojan but wont be able to delete it as it will be running program.0
-
A friend of mine who uses Lloyds TSB online banking had this same problem yesterday. The bank disabled his access and claimed he had malware on his PC. He called me to sort it out as I know a bit about PCs.
Wow. What a wriggly little :eek: this was.
As in this thread, the ONLY symptom seemed to be the addition of a text entry field for the full memorable word on the bank's logon screen. To be clear, this was not a redirect to another website or a mistyped URL. This was the genuine Lloyds TSB homepage button link to the genuine logon screen. It looked entirely correct except for the new field. It was even https with the padlock showing in IE8. And guess what... it even appeared in Firefox 3.6.8 Yes, I was amazed too.
When I first saw this I thought the bank's own servers had been compromised but when I spoke to their technical helpdesk I was convinced it was local problem on the PC. (It wasn't until later in the day I installed Google Chrome which didn't show the memorable word field.)
The PC had McAfee internet suite (incl. spyware protection) installed and running. A full on-demand scan did not find it. Also running on the PC was Webroot Spysweeper, Windows Defender, PC Tools Spyware Doctor. None of these found the culprit.
An online scan using Panda Anti-virus found it - but I didn't know this for sure until much later. It was flagged only as a 'suspicious file' so I sent it to be analysed by 43 anti-virus vendors at virustotal.com and it was again flagged by Panda as a 'suspicious file' with no malware name. No other vendor flagged it as a problem at all !!!!!
A full ESET online scan also found nothing.
I also ran the Kaspersky Virus Removal Tool (not the anti-virus program which can't run unless McAfee is uninstalled). It found Trojan-Spy.Win32.Zbot.amzj & anef but failed to totally get rid of it all.
So how did I find it? Pretty much by luck and experience. I saw a process which msconfig showed as starting at start-up. I didn't know what it was but decided to find out. I googled the filename and folder where it was but google found nothing for either. This rang alarm bells for me. I couldn't end the process and couldn't remove it from start-up even by using advanced tools. Because of this behaviour I focused on it. It was in a folder/file called Llyanva/idxyo.exe - I know some malware uses random numbers to name its processes but this looked (at first sight) genuine until google couldn't find it.
In the last afternoon I sent the file to virustotal again and this time the results were a little different. Panda still only flagged it as a 'suspicious file' with no malware name. But this time Kaspersky identified it as Backdoor.Win32.Buterat.vy (No other vendors identified it as odd.)However, google did find a mention of idx.exe in the malwarebytes forum so I installed Malwarebytes Anti-malware with the latest updates and it identified the same file as .... and claimed to delete it. This was the same family of backdoor trojans mentioned by the Lloyds TSB tech helpdesk so I guessed I was getting somewhere. However, there were still remnants of it in the windows registry (as identified by jv16 Power Tools 2010). I was eventually able to delete the remnants and sure enough the memorable word field in both IE8 and Firefox 3.6.8 disappeared. Who knows whether it has fully gone or not but for now its not showing its very sneaky symptoms.
I suspect the Kasp program and the Malwarebytes both helped get rid of it but neither did fully.
This was a difficult one to chase. I hope this info helps someone else.
The worst thing about this was the lack of evidence that there was anything on the PC at all and the way it intercepted the browser display after the Lloyds TSB web server had delivered its info to surreptitiously add a new field to gain the complete bank logon details.
A very crafty, quiet little :eek: indeed.0 -
This little !!!!!! has just appeared on the good lady's lappy. We bank with the Halifax. Both IE and Firefox infected
Malwarebytes (5419) has scanned and failed to clear any issues.
I'll try kapersky as last post - this really is a horrible little ....
Will come back with results0 -
the only way to feel secure is to use Linux to access banking sites, via a read only CD or thumb drive. There are several sources, I recommend Slax (https://www.slax.org).
its extremely unlikey to get a nasty, and if it does it cant do anything with it because it cant write to any storage.0 -
Or something like clear cloud http://www.clearclouddns.com/ (run by Sunbelt who also do the VIPRE antivirus and firewall). Its free of charge (at present) and will basically stop you going to fake sites by displaying a message that the site is not real. That assumes that your anti-virus/firewall software doesnt pick it up for you first.
There is a test page here: http://clearcloudtest.ssdsandbox.net/ which your firewall/antivirus software should block (it can do no damage if it doesnt block it as the point is to let you know if its been blocked or not. if its not blocked then you should consider reviewing your security software)I am an Independent Financial Adviser (IFA). The comments I make are just my opinion and are for discussion purposes only. They are not financial advice and you should not treat them as such. If you feel an area discussed may be relevant to you, then please seek advice from an Independent Financial Adviser local to you.0 -
It's not entirely true to say that banks never ask for the whole of your memorable word. Lloyds "Clicksafe" is a pop-up box which asks you to verify the use of your credit card. It asks for the whole word.
By contrast Barclaycard "Verified by Visa" ask you for 3 of the characters only.
I pointed this out to Lloyds but they seemed unable to appreciate that their statement "we never ask for .." is not always true.This is a system account and does not represent a real person. To contact the Forum Team email forumteam@moneysavingexpert.com0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351K Banking & Borrowing
- 253.1K Reduce Debt & Boost Income
- 453.6K Spending & Discounts
- 244K Work, Benefits & Business
- 598.9K Mortgages, Homes & Bills
- 176.9K Life & Family
- 257.3K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards