IS ATS Phishing?

uninstall norton internet security, step 1. A Phishing site will actually *look* like a site you are trying to go to (ebay.com, yahoo.com, theyareouttogetme.net). For someone to steal your pin, you need to first enter it into your browser.

OP - Might also be some kinda malware on your machine. What kinda spyware filter are you using? If it's just the normal Spybot S&D or Ad-Aware, or any of the other free ones, I can guarentee you've got some greys and mals lingering. A lot of those will occasionally ask you for you to put in usernames and passwords to obscure login screens in an effort to get your info on other, legitimate logins. I can recommend some good ones via U2U if you like, I don't want to be seen as endorsing a specific product publicly.

And Deus_Brandon, I hope you aren't intenting to imply ATS would be an active part of any sort of intrusion on to people's PCs, and if you are, I would expect some solid evidence instead of vague accusations. I've been a member of this site for years now, and I run a pretty dang tight ship on my own rig. I've never found even the slightest hint that ATS did anything to my system other than read its own cookies. I wouldn't be a part of a site that did that sort of thing.

Now if you have something to say, please come right out and say it, present your evidence, and let the public decide. Being a mod hasn't made me ethically impervious to the goings on of ATS. But if all you've got are vague accusations with no substance behind them, I suggest you consider who you are insulting with off-handed comments like that. It would be a lot like me walking into your house, taking full advantage of your hospitality and generosity for the evening, and then saying "Gosh, you know, I just can't help but get the feeling you videotape the bathrooms here."

Try to see it that way. If you're going to insult your host, it's a real good idea to be able to back it up, and be prepared to be asked to leave if you insulted them too deeply, too needlessly. Just a tip there. Take it or leave it as you will.

I havent had a problem with any viruses or spyware in years. I have all of these programs working in harmony. It took me awhile...

I run 128bit and 256 bit encryption based on what I am doing.

Antivirus Password Protection
Norton 2007 Roboform Pro
Antivir Norton
Avg

Spyware Scanners
Ad-Aware
A-Squared
Spybot
Giant
PGP Site Blocker based on IP Addresses
Spyware Blaster
CA Antispyware
Window Defender

Firewall

Norton Pro
Sygate Pro

Washer Programs
Window Washer
CCleaner
Xp Smoker Pro

And A couple of other
tweaker programs

wow... quite a list.

I think you should remove some of them. Having so many programs all looking in one place will cause inevitable conflicts.

The only thing you really need to stop phishing sites is a decent, modern browser. IE7 and Firefox both come with Phishing Filters which actively check every site you visit and are constantly updated so that each knows if the site you are viewing is a phisher.

Originally posted by bufordny
I havent had a problem with any viruses or spyware in years. I have all of these programs working in harmony. It took me awhile...

Yeah, that's a pretty decent suite there. Hmmm.

Have you run HiJackThis yet? I doubt you'd have a jacked browser, but I suppose it's possible. I expect that's probably in your tweaker tools though.

I'd be curious what Spyware Doctor from PCTools found, as well. I know you've got a lot of anti-spyware on your machine, but I tried about everything before Spyware Doctor found the culprits what "st0el3d my m3g4hurtz"... I don't want that to sound like an advertisement though.

Good job on getting all that stuff to place nice with each other. That must have been a real pain.

I don't know man. You've got me stumped. Logic says it's not ATS sending it though, because if you're THAT well guarded, and yet you're being asked for a PIN by some dubious login screen, you can bet everyone else here who doesn't fly a fortress tower would be seeing the same login screen. It wouldn't just appear for those whom are better protected than everyone else. So my guess is that either your system is, in fact, compromised by some spyware, or someone launched a specific attack against just you in the form of... a request for your PIN...which could mean anything.

It just doesn't add up. You don't put protection like that on a rig without visiting some pretty crazy odd places, or unless there's something really worth having on your PC. Was there anything of note in your Event Logs? Did you check the logfiles of your suites to see what, specifically the message was in reference to, where it came from, over what port, or anything? Could it in any way be possible that you were on another site at the same time that perhaps does a popup that spoofs other cookies or windows on your system? See if you can isolate the source a bit further.

In every instance on ATS I've seen in the past, the Amigos have been very honest and forthcoming about what's happened, and I'm sure if it turns out there was something bad going on through ATS servers, they'd want to know about it just as much as you do, but for what it's worth, I think a lot more than just one person would have seen this screen if ATS were really phishing.

I can attest Fire Fox 2 works well.






[edit on 27/3/2007 by Sauron]

Originally posted by JackofBlades
I think you should remove some of them. Having so many programs all looking in one place will cause inevitable conflicts.

JackofBlades raises a really good point here that I'd forgotten to mention. There's every chance that one of those programs is the one asking you for a PIN, and that it's an option that got accidentally toggled on, so you wouldn't be expecting it, it wouldn't be something you normally see, and it wouldn't trigger alerts from anything else except as a block till the PIN was entered...

Try to find out what that PIN was to. That will be your answer right there, I bet dollars to donuts it's an accidental toggle in one of those proggies.

I have used Hijackthis and a few of my pro software reading the event logs and found this:

Private Information:

Date Time: 3/27/2007 11:02:08 AM
User:
Action: Blocked
Type: HTTP
Category: PIN
Data: XXXXXXXX
Destination: www.abovetopsecret.com...

and
Private Information:

Date Time: 3/27/2007 11:01:40 AM
User:
Action: Blocked
Type: HTTP
Category: PIN
Data: XXXXXXX
Destination: images.abovetopsecret.com...

And

Private Information:

Date Time: 3/27/2007 11:01:40 AM
User:
Action: Blocked
Type: HTTP
Category: PIN
Data: XXXXXXXXX
Destination: images.abovetopsecret.com...

Private Information:

Date Time: 3/27/2007 11:01:40 AM
User:
Action: Blocked
Type: HTTP
Category: PIN
Data: XXXXXXXXX
Destination: images.abovetopsecret.com...

Private Information:

Date Time: 3/27/2007 11:01:39 AM
User:
Action: Blocked
Type: HTTP
Category: PIN
Data: XXXXXXX
Destination: images.abovetopsecret.com...

Private Information:

Date Time: 3/27/2007 11:01:39 AM
User:
Action: Blocked
Type: HTTP
Category: PIN
Data: XXXXXXXX
Destination: images.abovetopsecret.com...
Private Information:

Date Time: 3/27/2007 11:01:39 AM
User:
Action: Blocked
Type: HTTP
Category: PIN
Data:XXXXXXXX
Destination: images.abovetopsecret.com...

Private Information:

Date Time: 3/27/2007 11:01:38 AM
User:
Action: Blocked
Type: HTTP
Category: PIN
Data: XXXXXXXXX
Destination: images.abovetopsecret.com...
Private Information:

Date Time: 3/27/2007 11:01:38 AM
User:
Action: Blocked
Type: HTTP
Category: PIN
Data: XXXXXXX
Destination: images.abovetopsecret.com...
Private Information:

Date Time: 3/27/2007 11:01:37 AM
User:
Action: Blocked
Type: HTTP
Category: PIN
Data: XXXXXXX
Destination: images.abovetopsecret.com...

Private Information:

Date Time: 3/27/2007 11:01:37 AM
User:
Action: Blocked
Type: HTTP
Category: PIN
Data: XXXXXXX
Destination: images.abovetopsecret.com...

Something is causing a bounce?

Had this happen more than once at my site (IgnoranceDenied).

It always ends up where someone uses a remote link for an avatar, that is hosted on a private server or a private image host account. When the person password protects the directory on their server, or makes private the hosted image, then when you view the ats thread the image is fetched from the source, and sometimes a popup will appear requesting username/password/ or login information.

Completely unrelated to the site (ATS/ID) but appears couse the image is being requested from a 'protected' source.

Just my thoughts.

What is the nature of the "blocked data" that your logs kick out. Could you u2u that to me? This way I can tell if it's just something in our cookie.

However, our images server is rather vanilla and has up-to-date mod_secure on Apache... so you shouldn't be seeing anything unless the firewall is configured improperly.

This will NEVER HAPPEN ... The image will just pull up Under the little "X" that usually comes up if the image did not load. I something pulls up PW and ID .... It is something in the code from that page. For Sure ... ... Whoever had that problem go back to that page and whenever you get there Go to VIEW right beside EDIT or Favorites .. and go to SOURCE CODE. Copy and paste this to NOTEPAD .... save it ... there ... Send it in an ATTACHMENT .... to me or Skeptic ... or to anyone who has Front Page .. or who can read HTML ... DHTML ... or actually the problem will be within the Java Applets .............

Originally posted by smirkley
Had this happen more than once at my site (IgnoranceDenied).

It always ends up where someone uses a remote link for an avatar, that is hosted on a private server or a private image host account. When the person password protects the directory on their server, or makes private the hosted image, then when you view the ats thread the image is fetched from the source, and sometimes a popup will appear requesting username/password/ or login information.

Completely unrelated to the site (ATS/ID) but appears couse the image is being requested from a 'protected' source.

Just my thoughts.

Everything I'd say/suggest has already been stated in this thread, but there is one thing that I would like to stress: use FireFox! Upgrading to IE7 will not save you from anything. It is a major step-up for microsoft in HTTP security, but, IE7 still has major flaws and insecurities which are being exploiting by many people and places. I seriously can't stress enough how bad IE is for browsing the internet. Download and install Firefox now, for your own protection, please.

Originally posted by Deus_Brandon
This will NEVER HAPPEN ... The image will just pull up Under the little "X" that usually comes up if the image did not load. I something pulls up PW and ID .... It is something in the code from that page. For Sure ... ... Whoever had that problem go back to that page and whenever you get there Go to VIEW right beside EDIT or Favorites .. and go to SOURCE CODE. Copy and paste this to NOTEPAD .... save it ... there ... Send it in an ATTACHMENT .... to me or Skeptic ... or to anyone who has Front Page .. or who can read HTML ... DHTML ... or actually the problem will be within the Java Applets .............

Originally posted by smirkley
Had this happen more than once at my site (IgnoranceDenied).

It always ends up where someone uses a remote link for an avatar, that is hosted on a private server or a private image host account. When the person password protects the directory on their server, or makes private the hosted image, then when you view the ats thread the image is fetched from the source, and sometimes a popup will appear requesting username/password/ or login information.

Completely unrelated to the site (ATS/ID) but appears couse the image is being requested from a 'protected' source.

Just my thoughts.

Actually what smirkley has described is very possible. The fact your browser displays a little X is because it can’t get access to the picture.

Your browser will contact the server and request the picture, if the directpry that the picture is in is password protected the server will then ask for authentication, because you’re bowser is requesting the picture whilst rendereing a webpage it will most likely see the authentication as a failure in the request for the picture and there for display the little X

To behonest this doesn’t look like that. Not all of thing that were blocked were pictures and besides every one else can access them fine.

I can’t see why it would have block www.abovetopsecret.com... but it might be to do with the ads.

It may have blocked the pictures because images.abovetopsecret.com is on a different ip address to www.abovetopsecret.com . Depending on the security restrictions is may have seen it as trying to spoof the original site.

Not sure that you’re talking about what you refer to Java Applets Deus_Brandon as far as I’m aware there aren’t any Java Applets on abovetopsecrect, at least not on the main board.



[edit on 28-3-2007 by Burgess]

function sessionpop()[
settings="toolbar=no,location=no,directories=no,status=no,menubar=no,scrollbars=yes,resizable=yes,width=520,height=600";
url="http://www.abovetopsecret.com/forum/ats_session.php?";
window.open(url,"session",settings);


This is something of what I am talking about JAVA APPLETS although this is just basically a Loop type script .... There are other Progs that are inside each web page to make them FUNCTION correct. Everytime you hit a button it is using some sort of Java Application. Anyways .... You guys obviously have never done any how should I say "PLAYING WITH SCRIPTS" ... Google Hack .... and it will show you why Phishing would be used.

What you've pasted in there is actually JavaScript which is quite different from Java which you use to produce Java Applets.

Javascript is based on ECMAScript www.ecma-international.org...

and Java (which is used to create Java Applets) was produced by sun java.sun.com...

It's easy to get the two confused if you haven't had much experience with either of them.

If you'd like i can explain the differences in detail

For those of you who use a dozen security programs to make yourself feel safe, let me say this.. relax. For the OP, a Phishing site is a website that is made to look like a real website, whether that be a bank, ebay, paypal, or whatever.. Just because one of your 50 anti spyware anti virus programs lights up because of an image on this website does NOT mean that this site is guilty of Phishing.

Step 1: uninstall all of that garbage, its not doing anything but raising paranoia
Step 2: download and install the latest browser (i recommend mozilla)
Step 3: don't install any activeX programs you aren't sure about
Step 4: don't ever follow an email link to a bank or financial site
Step 5: relax, its all going to be ok.

Originally posted by Deus_Brandon
This is something of what I am talking about JAVA APPLETS although this is just basically a Loop type script

You are very wrong.

The code you quoted is a JavaScript Function that launches a pop-up window associated with a few functions on ATS.

It's obvioulsy not a loop.

It's obviously not a Java Applet (which is something very different).

It doesn't run unless initiated by user action.

Don't know if it's right to mention it here, but it has to do with log-in and password.

The very few times I log-out of ATS and log-in again the following happens:

After entering username and I click in the password field it instantly autofills. Obviously with the correct password.

Is that a normal procedure for login on ATS?

If the case someone has stolen my password and can enter my account I just wanna mentioned I've never seen anything written in my name, but what I've written myself.

That would be a browser function. It's set to autofill passwords after you enter your username. It saves your password and just plugs it in for you.

... I am sorry that I was confused ... I actually didn't mean to paste a call Function ... Just grabbed first thing I saw using Java ... Which is movement in HTML ... Appologies ... thanks for setting me str8 skeptic. I can use that same Format and Make that button whenever any user hits it here at ATS ... ask them whatever I wanted to ask them ... Even take them to a page outside of your server network and make the page look IDENTICAL to ATS page and ask for thier PW and Username just to send them back to the page in which they came from ... never knowing that the page that they just were on was only a SIMULATION of ATS and now I have thier PW and User name in my mail box waiting .... for me to open it up ... Although I do not do these things. They can be done ... Your server would have had to be compromised ... Which is highly unlikely because I do not know you ... And do not even know the Location so finding the number would be alittle more difficult although whenever each one of your pages come up for a second the IP number of the adress comes up in the lower left hand corner .. And if I have a "GRABBER" LOL .... then I could get that and IP in to your network ... Which is something I CANNOT DO ... But I have a couple friends who could do such ... Although most likely you would have to accept a piece of EMAIL with a SWITCH in it ... to allow your computer to do this ... MUCH MORE DIFFICULT then it is written .. But ... IT CAN VERY WELL BE DONE !!!

Originally posted by SkepticOverlord

Originally posted by Deus_Brandon
This is something of what I am talking about JAVA APPLETS although this is just basically a Loop type script

You are very wrong.

The code you quoted is a JavaScript Function that launches a pop-up window associated with a few functions on ATS.

It's obvioulsy not a loop.

It's obviously not a Java Applet (which is something very different).

It doesn't run unless initiated by user action.