Bank Informed Might Have Trojan Panic Ran Run Me First.

Hi yeah running windows 7 networked with a lot of windows 10 machines, bank has informed me they've detected a trojan, and another of my bank transactions has been edited/changed to be something else. triple checking system, might be a steelwerks infestation, not sure what that is but the warning has been scaring me since I found you guys years ago. I am worried, let me know how worried I should be.

 

It is almost definitely not a month old. I haven't run it on this computer for quite a while since yesterday.

 

It's using my default for dates dd/mm/yy.

 

I guess I will run it again and have my dates in a format that makes them more easy to understand. Sorry for confusing you.

 

I've had a single bank transaction of a rather large sum have the destination change dramatically, bank and destination. A different bank I deal with said they detected some kind of trojan and wanted me to add in third party checks before I could check my statements with them, and I had the "steelwerks" box pop up when running MGTOOLS when you specifically mention not to press "cancel" but instead to press "close window". I'm most worried about the transaction destination change, and I've contacted my bank about the transaction, and thats the only thing I'm sure isn't correct.

 

1/
MGtools.exe runs a cmd prompt and runs about a million cleaning systems, finalizes all, writes about forty logs.

during MGtools.exe running, there is a warning that comes up "

********************************WARNING****************************************
If you see a popup saying that
SteelWerX WhoAmI application has stopped working

do not click the cancel button that first appears. Wait for the Close button to appear and click it to continue
*******************************WARNING*****************************************

I had this "popup" actually come up. I waited, i saw the "cancel" button, i waited, i saw the "close program" button. i clicked it.

So, I think, i must have a SteelWerX WhoAmI infection which, maybe MGtools.exe has fixed, maybe not.

2/
I will delete all my temp files.


3/ timeline
Okay transaction. User logged into bank using username, password and dongle.
user organised $10,000 transaction from particular account, bank 1, to another account, bank 2. saved bank details used. dongle used.

bank 1's (Suncorp) web portal has the ability to edit destination details after destination selected.

bank 2 (ANZ) details completely changed, (how is this possible??)

bank 3 (CBA) details put in, bank 3 account. completely different bsb and account details (still same country).

this incorrect transaction was only realized 7 days later, turns out.

the text details on the transfer was "ANZ account".

two weeks ago.


1 week after this transaction, user tried to log into ANZ accounts using same PC. no idea about fraudulent transaction, no worries about anything.

ANZ reports : possibly fraudulent connection, you need to install 3rd party software to log into our accounts now.

User freaks out, installs ANZ propriety software re a phone conversation and an email


I have tried to condense the email neatly and failed. I believe ANZ has this propriety software available, I don't think it's malware.
============================================================================
Dear [Users name in full],

Following on from our conversation, we recommend that you install IBM/Trusteer Rapport on your workstation. We are confident that this program will identify the malware that has infected your machine.

Please note: Trusteer Rapport should not be used to replace your antivirus program.

Install Trusteer Rapport
IBM/Trusteer may be downloaded by pasting below link in the browser:
www.anz.com/securitysoftware

• Click Download Links (top right of screen)
• Select ANZ Bank
• Click download on the correct Operating System
• 
  
• 
  
  For technical support to install Rapport paste below link in the browser:

http://www.trusteer.com/support
Confirm installation
Go to: Start->All Programs->Trusteer EndPoint Protection-> Trusteer EndPoint Protection Console
If you can see above shortcuts on your workstation and the Trusteer console opens up successfully, it means that Rapport has been installed on the workstation.
Obtain Trusteer Rapport ID
Open the Trusteer EndPoint Protection Console
In the Product Settings then click on more settings
Click on the Copy Trusteer EndPoint Protection ID button, then reply to this email by pasting the information on the email.
https://forums.majorgeeks.com/file:///C:/Users/Workshop/AppData/Local/Temp/msohtmlclip1/01/clip_image001.jpg

Call ANZ
Once Rapport has been installed, please call our ANZ Internet Banking team on 133350 (24/7) or for ANZ Internet Banking for Business call 1800 269 242 (8AM-8PM AEST Monday-Friday) to have your Internet Banking access reinstated.
Kind regards,
James Munday | ANZ | Digital Fraud Case Officer | Digital Fraud | Customer Protection
Level 5A, 833 Collins Street, Docklands 3008, Australia | P: +61 3 8655 3023 | www.anz.com

====================================================================================
After conversation and installing software for accessing ANZ accounts, customer realized $10,000 transaction had gone awry, and called up bank manager at suncorp.

Suncorp had no idea about this transaction or any problem. they are chasing it up now with CBA.

 

I understand the previous reply may be a bit confusing. I can condense any parts that do not make sense if required.

 

The dongle is a piece of hardware issued by suncorp that shows a new code every 30 seconds that is needed to log in and to do transactions.

I will find the log from Trusteer. I'm not back there until next Wednesday.