We help IT Professionals succeed at work.

Credit Card information stolen

Medium Priority
152 Views
Last Modified: 2019-12-23
I have a client who has had two separate credit cards compromised in the last week.  Same user, same computer, different secure websites, and two totally different cards.  I have run malware and AV scans on the machine, verified the web browser was fully patched and didn't have any extensions installed, verified Gateway AV IPS and App Control was enabled on the Sonicwall.  We looked for rogue APs and came back clean.  Both cards were used within an hour of being used for online transactions and the cards were entered in to the web browser manually, not saved.  I am running out of ideas on where to look or what to even look for.  Any help would be appreciated.
Comment
Watch Question

Thomas Zucker-ScharffSolution Guide
CERTIFIED EXPERT

Commented:
Why isn't this person using PayPal or a password manager that prefills this info?

To your present problem, have you considered it may be a keylogger?
CERTIFIED EXPERT

Commented:
Which antivirus did you use to scan the PC?
Are you able to preform a boot scan?

Author

Commented:
Akeylogger was my first thought, but Trend and Malwarebytes both came back completely clean.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
There are lots of ways to steal credit card numbers. Any strange software? Where has this person used the cards, both online and offline? Were the sites secure? And why not try replacing the computer?

How is your infrastructure set up? Would it be possible to have rogue equipment on the network sniffing data?

Author

Commented:
The information that I was given says that both cards were used online and within an hour were being used for unauthorized purchases.  Both sites were secure, using SSL, verified certs, reputable web carts.  Replacing the computer my ultimately be the solution, but I would like to determine the source of the breach for future uses.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
I would do or look at the following:
  • Replace the machine in question - Have forensics run on the questionable system (AND keep it offline). If you're not able to do this, get a consultant involved. Don't delay this step because you're trying to find the root cause. By delaying, you're not really attempting to mitigate or eliminate risk.
  • Get rid of users having admin access if this is presently the case (along with a number of other things to overhaul security practices)
  • Check the other users' systems. There may be more at risk with the same cause.
  • Check your network infrastructure for any rogue devices, vulnerabilities, misconfigurations, or compromises. Now that you know things have happened to one user doesn't mean that other users aren't at risk.
  • The sites themselves (if they have insecure practices, then you have an issue)
Blue Street TechLast Knight
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Hi computerconcepts,

Everything @masnrock said! Additionally, I'd determine the computers were in fact compromised in the first place, as @masnrock said credit cards can be compromised in a multitude of different ways externally. Most people don't have a clue how large their online footprint is (meaning how many databases they are in).

So, if you have not taken the computer offline yet hop on the SonicWALL and look at the Connection Log & look for the following info:
      1. Top 20 IP addresses that have the largest number of connections leaving your network
      2. Top 20 IP addresses that have the longest connections
      3. Top 20 IP addresses that have the most amount of data

Any IP address among the top 20 on all 3 lists is a compromised system.

How did you narrow the "threat" to this machine or is it narrowed only by the presence of the user who's been infected? If you are running SonicWALL, I'd enable SSL-DPI inspection - over 80% of online traffic is now encrypted & almost all attacks are so if you are not inspecting encrypted traffic - anything can and will get in! Also, enable/purchase CAPTURE, its their real-time multi-headed virtual sandbox that can block unknowns, zero-days, ransomware, etc.

If you definitively find it is the computer to be infected and you aren't at the end of your refresh cycle (you don't need to get a new PC), "wipe" or overwrite the drive with 0x00 then perform a full reformat. That will get you back to a virgin state.

What is the model of your SonicWALL? Is it a current model and is the firmware current?

Let me know if you have any questions!
CERTIFIED EXPERT

Commented:
David Johnson, CDSimple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
I see no indication of the asker's customer using a sonicwall..  Instead of replacing the computer just format the HD and reinstall the OS
CERTIFIED EXPERT

Commented:
@David Johnson -
I see no indication of the asker's customer using a sonicwall

verified Gateway AV IPS and App Control was enabled on the Sonicwall.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Has any progress made made on this? The advice here should be more than helpful.
Sorry guys, the investigation got put on hold for reasons unknown to me.  There have been no more issues since.  Not sure if it was user error or what went down.