Опишу теперь свою эпопею с воровством голда.
Вчера утром решил проверить счет. Зашел через ИЕ6 (горе мне) - увидел, что денежка есть. Нажимаю иконку Хистори - мне высвечивается, что якобы я перевожу средства на счет Marius-e-gold. Т.к. это я делаю впервые - окошко подтверждения. далее все само собой произошло без моего участия. В иттоге- на счету 0.
Сразу же отписался в саппорт Года насчет этого факта.
Пришел сегодня от них ответ - пишет
[email protected]:
If your account was compromised while AccSent was enabled, there is a high probability that you either have a security hole in your computer, which allowed hackers to take control of your computer or you have a Trojan virus, spyware or keylogger software installed on your computer because someone not only had access to your e-gold passphrase, they also had access to your email address password. AccSent monitors account access attempts and issues a one-time PIN challenge to those coming from IP address ranges or browsers that differ from the last authorized account access. Your account was accessed from remoteip '*.*.*.*' (с моего айпишника) and a pin was sent to the email address on the account. The person logged into your email account and retrieved the pin, accessed your e-gold account and made an unauthorized spend from the account.
Until you remove the malicious software from your computer, your account is still vulnerable. Your email account has also been compromised so it is important that you change the password for your account after your computer is cleaned. If the malicious software is still on your computer, someone is able to read your emails, delete your emails or send emails from your
account.
The only other way your account could have been compromised is if you received a phishing email with a link for you to click on to access your account. If you clicked on the link and went to a fake e-gold site and entered your e-gold account information along with your email account information, your account could have been compromised without malicious software being installed on your computer.
Have you received any emails within the past few weeks, which appeared to come from e-gold requesting that you log into your account? Did the email contain a link or an attachment? Did you attempt to open the attachment?
Did you click on the link or attempt to access your account from a link in this email?
Have you run a complete virus scan of all computers used to access your account with updated anti-virus software? You should also check your computer for Spyware and Trojan keyloggers. Some people mistakenly assume that anti-virus software protects them from keyloggers and Spyware. Most anti-virus software does not adequately check for keyloggers and Spyware.
If you have checked all the computers used to access your account with only an anti virus software, we strongly recommend you use a software that specifically checks for Spyware and keyloggers.
There are Trojans keyloggers that monitors Internet Explorer windows until a user visits the e-gold login page: e-gold.com/acct/login.html. Once the user is logged in, the Trojan opens a hidden Internet Explorer window in which it accesses the user's account balance: e-gold.com/acct/balance.asp.
After ascertaining the value of the user's account it attempts to transfer their funds to another account using the hidden window.
Most viruses are conveyed by spammed e-mail in the form of HTML messages.
The scripts run on viewing, no clicking on attachments is necessary. They may also arrive as image attachments. Once the image is viewed, the program is executed. Either way, the system is now infected and is just waiting for you to check your e-gold account balance.
You can protect yourself by:
* Using another browser instead of Internet Explorer (IE). Firefox by Mozilla is an excellent choice. You can visit
www.mozilla.org for more information.
* Do Not auto-preview incoming e-mail.
* Do Not open obvious spam.
* Do run a full virus scan regularly.
As of today we know specifically of 11 viruses that could cause a problem similar to the one you are having.
1. Win32/Goldun.ia (One customer said he did not find anything when he ran Norton and McAfee anti-virus software, but he found the Win32/Goldun.ia Trojan when he used a software called 'Kaspersky')
2. T SPY_HAXDORY (A customer who was receiving the fake login confirmation page located a virus with Trend Micro Housecall identified as T SPY_HAXDORY. Removing this seemed to solve the problem without having to reinstall windows.)
3. TROJ_GOLDUN.DO which has a file named CPU.EXE found in the c:\windows directory. This was found with Trend Micro's PC-cillin.
4. cpu.exe (Aladinz.l Trojan) more information regarding this virus can be found at
https://www.auditmypc.com/process/cpu.asp
5. GDIWXP.DLL (this is not found using a regular virus scan).
6. pwsteal.trojan
7. TSPY_GOLDUN.AR A customer was able to locate this using Trend Micro Housecall (it was missed by Symantec).
8. There is in one computer a program named mssync20.exe, who copies in the windows\system32 directory. This is a rootkit who is only detectable by its activity with antivirus programs, the one i use is Kaspersky antivirus. It is called rootkit in the internet, and i have detected it with some antirootkits, the best for me was Iceword. I have to remove it manually in secure mode in windows and searching the registry keys (more then 15).
9. There is in one computer a program named mssync20.exe, who copies in the windows\system32 directory.
10. Win32/Small.NCC Trojan
11. Spy.Guldun.ML
We investigated and placed a block on account # 3767766 to prevent it from receiving additional funds. Unfortunately we will not be able to refund your money because all e-gold spends are final and not reversible as stated in the e-gold account user agreement. e-gold is also contractually prohibited from freezing e-gold accounts or releasing e-gold account information in the absence of a court order or subpoena. You might want to consider obtaining some combination of help from a legal professional or law enforcement to obtain a court order, if the size of your loss warrants
expenditure of your resources (time and money) to resolve.
The court order/subpoena should be presented by postal mail to:
e-gold, Ltd.
c/o Andrew S. Ittleman, Esq.
1001 Brickell Bay Drive
Suite 2002
Miami, FL 33131
If you are able to receive the records electronically please specify the appropriate email address the records should be emailed to. Please allow a minimum of 2 weeks for the production of any e-gold records.
In order to ensure you get all pertinent information when issuing the court order or subpoena to e-gold Ltd please:
- Ask for e-gold account profile information for account number # 3767766
- Ask for transaction history information for account number # 3767766
- Ask for information on any other accounts owned or controlled by the individual
- Ask for counteraccount_id profile information. This is the account profile information for any accounts that made payments into or received payments from the subpoenaed account
- If applicable, ask for stabilization of the funds in question "freezing of the account if the funds are still under the control of the perpetrator"
Thank You,
e-gold Service 1
Вот такие вот пироги. После этого запустил НОД - он ничего не нашел. Запустил cureit от Вебера - он нашел в 4-х местах трояна, который и спер деньги.
Теперь захожу на голд через Фокса, и поменял все пароли.
Кроме того, приходило еще письмо с Пин-кодом, посланным якобы по-моей просьбе е-годлом. По айпишнику - Денвер. так что троян от америкосов.
Вот такая история