Cahoot Bank Scam - Fake Site re-direction

  IanS1 08:55 24 Feb 11
Locked

Hi - I wonder if guys here can advise me re. a problem I just encountered when trying to access my on-line Cahoot Bank Account?

The problem is - I am automatically re-directed to a fake Cahoot site which looks ABSOLUTELY identical to the real site. The only difference is the fake site asks you for your Full password (whereas the real Cahoot site only ever asks for two characters from your password).

Fortunately I was not fooled and did not enter my full password.

I phoned Cahoot who say it's definitely a hacking problem on my laptop. And I have confirmed that on a neighbours computer, where I do get the authentic Cahoot bank website, ie the problem is only on my own laptop.

So my question is - (a)has anyone else reported this particular scam re. Cahoot Bank?, and (b)is there any way I can remove the offending scam from my laptop?

I have C-Cleaner, and Ad-Aware, and I've run those, without any threats being detected. I've also tried to run MacAfee, though I'm not really familiar with that and I don't know if I'm using that correctly, but again no obvious threats found.

However, the above are only free versions of those programs. Is it worth me paying for a more full version of something Norton in order to have a better chance of clearing the offending stuff off my laptop?

Any ideas?

Obviously this a very serious threat to anyone who uses Cahoot on-line, because as I say the fake website is 100% literally identical to Cahoot's real website, except the fake one asks for the full password.

Any suggestions very gratefully received.

Many thanks, Ian.

(ps - I am redirected to the fake site no matter whether I go to Cahoot via Google, or specifically via the address bar)

  mgmcc 09:03 24 Feb 11

Have a look in your "Hosts" file to see if there is an entry in there which redirects requests for your genuine URL to the rogue one.

Do a 'Search' in Windows for the Hosts file. It is a plain text file with no extension, which you can open with Notepad. If such an entry exists, remove it, save the file and exit.

It is usually located in:

C:\Windows\System32\Drivers\etc\Hosts

  Terry Brown 09:54 24 Feb 11

Some banks supply anti-phishing software as part of their package, currently I use Kaspersky as supplied by the Santander group (free)and this checks that the address you entered actually goes to the registered address of the company.

Ask if Cahoots do the same.

This link may help.
click here

Terry

  IanS1 18:12 25 Feb 11

Hi Mgmcc ... thanks for the suggestion to look in the Hosts file ... I tried to do that, but I don't really know what I'm looking for ...

... ie I can't tell which files are supposed to be in Hosts, and whether there are any files there that are not supposed to be there.

If anyone else has eany other suggestions that would be great?

What about trying a full version of something like Norton? Is that likely to find the offending stuff and remove it?

I think people should be aware of this particualr scam, because from where I'm sitting the fake Cahoot bank site is absolutely undectable from the real site, and as soon as anyone logs-in there is apparently absolutely no way to stop this scam from taking your password and emptying your bank account!! ...

... and presumably they can do exactly the same with any/every on-line bank website, ie it seems all on-line banks are suddenly wide open with no protection at all ...

... which to me seems a rather serious situation?

I'd be really grateful for any other suggestions (apart from changing to a non-online bank)??

Many thanks.

  onthelimit 18:19 25 Feb 11

The hosts file is a good place to start. Why not post what's in there and an expert such as mgmcc could advise.

Worth running the free Malwarebytes as a precaution. click here

I've never paid for antivirus and suffer no more problems than those that do.

  lotvic 19:06 25 Feb 11

So that I could do the 'mark hosts file as read only' in Properties after I had checked contents I've just browsed to C:\WINDOWS\system32\drivers\etc and rightclicked on 'hosts' and 'open' and chose Notepad

this is all that is in mine:
-------------------------
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
------------------------

so that means I have only one entry in my hosts file 127.0.0.1 which is the pc (it will be the same on everyone's pc)
127.0.0.1 localhost

If you have more entries than that one, unless you have put extra entries there yourself, a rogue program has done it. So all others can be deleted, then in Properties mark the file as 'read only' to prevent anymore being added.

  rdave13 19:30 25 Feb 11

You can reset the hosts files to default here; click here ,
though, I have many from Spybot Search and Destroy.

  mgmcc 21:30 25 Feb 11

>>> thanks for the suggestion to look in the Hosts
>>> file ... I tried to do that, but I don't really
>>> know what I'm looking for

What you're looking for is an IP address (the group of four numbers) followed by the URL (website address) of your bank.

If this is present, it means that when you enter the correct address for your bank, the request is re-directed to the rogue site which has the IP address listed.

To let you understand, when you type in, for example, the address for google.uk a DNS server will convert that address to the site's actual IP address of 74.125.230.146, but an entry in the Hosts file could re-direct requests for Google to a site with a completely different IP address.

Copy 74.125.230.146 into the address bar of your browser and it will open Google's page.

  Snrub 21:39 25 Feb 11

I use Trusteer Rapport as suggested by my bank to prevent re-directions and keyloggin/keystrokes activity. It seems to work well and gives a weekly report of suspicious activity.

  lotvic 21:56 25 Feb 11

I also use Trusteer Rapport as suggested by my bank, it was free from bank website (hsbc) and you can use it for any website, not just the banks.

  IanS1 17:01 26 Feb 11

OK, thanks guys ... well, this is all that's in my Hosts file -

------------------------------
# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
::1 localhost

-----------------------------------------



Presumably that looks OK? (except maybe the very last line?).

I downloaded the latest version of Spybot and ran that ... it finished with "congratulations, no threats detected!".

Does the above mean that the offending rogue stuff is particularly well hidden somewhere?

Will Trusteer Rapport help me in my current position? Or is it only any use if installed BEFORE the rogue re-directing stuff has infected my laptop?

OK, what now ... any other ideas? ... I don't know what to do otherwise ... if I can't remove the rogue files then it means I dare not try to acess my Cahoot bank account from my PC/laptop?
:-((

This thread is now locked and can not be replied to.

Sniper Elite 4 review: Headshotting Nazis has never felt so good

1995-2015: How technology has changed the world in 20 years

The Fresh New Fonts of 2017

WWDC 2017 dates: How to get WWDC 2017 tickets, when is WWDC 2017 and more details announced