I’m having some trouble diagnosing a data breach I suffered this morning. I did an online purchase this morning and soon after, got an SMS indicating that the purchase could not be done. This turned out to be incorrect, and the number is verified to be a malicious one, with several reports to the local police. Nevertheless the info they got was correct (i.e. quantity, item, price, phone number, etc.), so at this point I know that whoever the attacker is, knows what and when I performed a purchase. So, considering that the transaction was done over HTTPS, I only have three possible points of attack:
The seller’s site (database, server, etc.)
My banking portal (someone went in and is monitoring my activity)
My Opensuse Tumbleweed laptop, from where I did the purchase.
So, I suspect that the attacker got the information either from my browser or a keylogger. In my browser (Firefox) I only have activated the uBlock Origin and Plasma integration plugins, so I doubt that the problem is in these.
I have run rkhunter and found a couple of issues in some temporary files (specifically Linux.Xor.DDoS in two sqlite files), which I’m not sure whether they may be false positives. A couple of days ago I checked the filesystem with clamav with no results (before the breach).
Is there any way to detect whether a keylogger is running on my system? Or to detect whether there is malware in some hidden plugin in my browser?
Best regards!
TL;DR: Is there any way to detect whether a keylogger is running on my system? Or to detect whether there is malware in some hidden plugin in my browser?
Aside from system “Best Practice” like updating your machine frequently,
Keyloggers
Come in physical and software version. To detect a hardware keylogger, inspect the back of your computer and USB ports for anything strange that might be inserted (assuming a hacker wouldn’t have physical access to your hardware, else you’ll have to open up the case). Is also often a device between the and the keyboard (no security for that connection compared to every other way).
Software is more difficult because the application typically keyboard I/O is generally trusted and not inspected by the system.
If your banking system has been compromised, the Bank probably will know about it before you will because more than likely you won’t be the only one to be seeing suspicious activity. Ask your bank if they’re aware of any issues with the merchant, typically merchants need to be vetted to receive funds your bank, and there is a bank’s self-interest… Typical terms & conditions for transactions protect the customer (you) for a certain length of time if you report problems promptly(but read the fine print)
3.The Firefox application can be a possible attack vector.
But, that’s why you need to get on top of your web applications.
Remove unnecessary plugins, add-ons, extensions, etc.
Install multiple web browsers and use each one of them only for specific purposes so that tracking cookies only see a small part of your browsing activity. This is because it’s vastly easier for a hacker to compromise your use of the application compared to your system. The much-publicized phishing attack is one example but there are many other examples personal information and maybe even access to services are lost. Typically people allow automatic logins, use same password for multiple uses.
Passwords are stolen and lost through negligence plenty of times and it only takes one time plus that info getting innto the wrong hands for you to suffer a loss of some type. Make your password “strong” and “uncommon.” If you don’t know what this means, or want a recommendation, you should ask if you cannot find something you feel comfortable with on your own.
Don’t blab about anything you want to keep only to yourself. Innocent emails, social media posts or lists lying around that can be easily seen are mistakes you can easily avoid, but requires vigilance.
Similar to using multiple web browsers, you can use virtual machines like Virtualbox to isolate special activities from everything else you do.
Thanks very much for the reply! That is quite informative
As for the hardware Keylogger, I am pretty sure it won’t be a problem since I’ve been working from home for the last five months. So far I have verified that the data breach is most likely on my banking account (it is the only place they could get my phone + purchase history). Either that or there is some Big Data algorithms crossing what I type + what is available from me online… or some physical guy actually filling a database, which I think would be a highly improductive work so I discard it.
Anyhow, I’ll be following your advice; I haven’t really thought about the benefits of browser diversification or that use for VMs, but they are very good ideas