Security reporter suspects phishing attack; turns out it's a lot of Skype

How did an ATM withdrawal in Illinois show up as activity in the U.K.?

Last Friday, while doing some online banking, I noticed two transactions I'd made recently, one a withdrawal and the other a deposit. The transaction amounts were accurate, and so were the dates. The records even referenced a phone number -- complete with a hyperlink -- that I could click on to make a Skype call to that number.

The only problem was that the records stated that the transactions had taken place in the United Kingdom. I haven't been to the U.K. In fact, both transactions were made at the same Chase ATM in a Dominick's store in Oswego, Ill.

I called Chase customer service and explained the situation to a customer service rep, who was equally puzzled about what was going on. She accessed my account and assured me she didn't see the U.K. references I could see on my computer. She asked me for a screenshot, which I e-mailed to her so she could verify what was going on. After taking a look at my screen grab, she expressed bafflement, urged me not to click on any links on my screen and transferred me to another rep. He, too, was unable to explain what was going on, but he assured me that my account didn't appear to be compromised. He told me to change my username and password, offered to cancel my debit card if I wanted to and gave me his direct line in case I noticed anything else weird.

Changing my username and password made no difference. Then, I did a little checking -- and found that the only time the transactions showed up weirdly was when I used Internet Explorer 7. The screen sort of briefly flickered after I'd logged in and a number with a +44 country code for Great Britain and a hyperlinked "Call" appeared under each of the two transactions.

When I logged in with Firefox, the transactions looked just like every other record, showing the date, the kind of transaction (ATM withdrawal or deposit or point-of-sale debit) and a reference number. I accessed the account from another computer, first using IE6 and then Firefox, and everything appeared to be in order.

By now, I was thinking maybe the first computer had been infected by a nasty Trojan exploiting an IE7 vulnerability to inject its own code into the bank's traffic and display it on my browser. I also wondered how a seemingly secure banking transaction at one of the largest banks in the U.S. could be co-opted this way. No doubt, with more and more people scrutinizing their online accounts in the wake of a rash of data breaches, I'm not alone in trying to spot anomalies.

Unlike most people, however, I'm regularly in touch with security researchers, so I called several and explained my plight. Their guess: My computer might have indeed been compromised; what I was seeing could well be a classic man-in-the-middle attack or a phishing handoff.

Don Jackson, a security researcher at Atlanta-based SecureWorks Inc., told me that several Trojans are floating around online that do just what I had described. The attacks usually target IE. Such Trojans usually hook into browser and network code, then install themselves as a browser helper object or as a layered service provider that intercepts network traffic -- even traffic protected by SSL encryption, he said. The Trojans are programmed to do a "find and replace" function for certain transaction details such as destination routing and account numbers. Sources are often changed to hide the activity from the victim or to defeat back-end fraud-detection mechanisms.

"Often, these find-and-replace functions are custom-coded modules that are developed by the bad guys and downloaded to an existing Trojan infection," Jackson said. The Trojans are designed to capture logs and to reverse-engineer the transaction used by a bank's online applications to find out what data to change to funnel money to themselves. One example of this kind of a Trojan is Torpig, which has mainly targeted customers of European banks but has started to take aim at U.S. bank customers. Another example is called Sinowall.

None of the researchers had a chance to inspect my system; their theories were based solely on my explanation of what had happened.

I would have accepted these explanations had it not been for Joe Stewart, another security researcher at SecureWorks. After listening to me, he quickly surmised that my problem had nothing to do with a Trojan but rather with my use of Skype's free Internet telephony software. According to Stewart, the problem was the result of my Skype application seeing those transaction numbers in the online bank statement, assuming them to be phone numbers and adding hyperlinks to them. That's what Skype does. When it comes across a number that looks like a telephone number, it automatically provides a hyperlink to it that allows people to simply click on the number and make a Skype call, he said.

"Skype intercepts the HTML before it is actually displayed on the browser and then changes the HTML dynamically" to add the link, Stewart said. That can sometimes create confusion, he added. "I have heard of other people not knowing why a particular link was highlighted on a Web page when the Web page owners themselves had not highlighted it," he said.

"Unfortunately, Skype doesn't have a lot of logic in it that can always figure out when something is a phone number and when something might be an account number," Stewart said. "Skype is just guessing and trying to be intelligent."

To test this explanation, I uninstalled Skype from my computer, restarted it and then logged into my bank account using IE7. The problem was gone. There were no more links to numbers in the U.K., just a routine transaction reference number. It looks like Stewart was right.

I reinstalled Skype on my machine, but the problem never came back. I even installed IE7 on my other computer -- along with the latest version of Skype -- to see if the U.K. connection showed up again. Nothing. And even with plenty of numbers that Skype could have misinterpreted as phone numbers, it hasn't done so. I tried without success to reach Skype officials for comment or explanation. For the moment, I'm assuming there's no nasty Trojan stealing my confidential data and sending it to some server in Eastern Europe.

In the meantime, I wonder how many banks and other organizations are getting similar calls from customers about mysterious phone numbers showing up on their online statements and in other records. I also wonder how much time and money it's costing these organizations to deal with any such calls. The Chase employees, for instance, spent at least 30 minutes handling my first call, and at the end of it, they still had no clue what was going on. They've heard no reports of similar issues.

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon