I have just had my online banking details stolen. My bank called to say that someone had just tried to send £5k from my account to an account in Africa. As I was not in the habit of doing this, they stopped it and blocked my account, thankfully. However the culprits have my online banking passwords. These are not written down anywhere, and so it seems the only way they can have got them is by intercepting them when I've logged in previously.

I have two computers, one at work and one at home, both running Ubuntu 11.10. I've never had any security problems in the past, so I'm a little unnerved, and I don't know how to go about checking them for any malicious software, rootkits, browser vulnerabilities or anything else I might consider.

I have updated everything to current versions (I tend to do that daily anyway), and installed AVG anti-virus, scanned and found nothing. I did a netstat, to look for suspicious activity and installed Wireshark to see what was going on but to be honest I've found nothing interesting, but not entirely sure what to look for.

The only other possibility, at work, is that someone else's computer on the network is infected (I'm the only Linux user, everyone else is Windows or Mac) and is somehow intercepting web traffic. Given that my bank uses an https: connection, though, it doesn't seem like this would work.

If anyone can give me any suggestions as to things to check or install, I would be very grateful.

Why do you think the problem lays at your side?
Usually the itself is compromised.
And receiving the first glue from the bank indicates, that they have trouble. IMHO

To give concise advice one should know at least, what kind of services both machines offer and how they do connect to each other.

Your question is to unspecific that the proper answer would be: read all available books regarding computer security.
Describe also precisly how both machines interact with your bank.

One of the advantages of Ubuntu is that it is pretty aggressive about keeping applications reasonably up to date. While it is possible for you to have been compromised and obtained a program such as a key logger that could have stolen your password, there is a much greater probability of a low tech problem. Similarly, unless you have been running server applications, the likelihood of you being compromised and this being the root cause of the problem is rather low.

For example,
Possibilities to investigate:

1) did you perhaps go to a counterfeit site accidentally and enter your password credentials? This may not be as difficult as you might initially think, as someone could have squatted on a URL that is off by a character.
2) do you have confirmation that this activity was done through the website using your login credentials? Banks are notoriously insecure when it is in their interests. Think for example, electronic transfers and bill pay and how you can give almost anyone the ability to withdraw money from your account. Could this have been a form of "wire" transfer? Your bank should be able to tell you the mechanism employed.
3) you mention this being a work computer and by extension I assume you access your bank from work. If this is the case could someone have spied you typing in your password, even remotely like via a security camera?
4) How good is your password / pass phrase? Could this have simply been a brute force guessing compromise?
5) Is there the possibility of a form of MITM attack with a counterfeit browser certificate or could someone on the network have used an application like sslstrip to fool you?

If evidence, or lack there of, is driving you conclusion that your PC must have been compromised by malware, the old but still useful CERT Intruder Detection checklist will provide you with the steps of things to look for. Being a desktop/laptop application, you have probably also rebooted and logged in and out many times which will make forensic detection more difficult, but you should carefully examine your log files for signs of intrusion, look for any hidden files, and any modified system files. Again, my base suspicion is that a compromise of your Ubunutu PC was probably NOT the cause of your stolen credentials as there are other more probably means.

3 members found this post helpful.

Thank you both for your replies. Of course I'm not certain that the problem lies at my end, but I want to make absolutely certain that's not the case as the stakes are pretty high.

To deal with the various possibilities that Noway2 suggested:

1) Counterfeit site? Possible, but I've never had a failed login, every time I've logged in I have accessed my bank details. I suppose it could have been a MITM. Can anyone suggest anything (browser add-on for example) which could catch a website masquerading as another site?
2) Yes the bank have confirmed that three logins were made using my credentials today. I haven't logged in today.
3) Overlooked at work isn't possible. A tiny office with two people and no cameras.
4) Brute force. Yes, possible. I will improve my passwords. They aren't bad, proper noun and numbers, but could be stronger.
5) MITM? Possible. SSLStrip? Also possible I'm sure, but I don't know what it is. I will research.

My main concern is a keylogger (for example) on my machine. I know it's unlikely on Ubuntu, but any insight anyone could give would be very welcome.

My bank only requires me to enter 3 characters of my password each time, out of password which is over 10 chars. The thieves have logged in three times with no failed logins which implies they have my whole password. Either it's been compromised at the bank end somehow, or they've observed multiple logins at my end and assembled the whole password from that.

Once again, I know it may not be my machines that are compromised, but I just want to make sure. Your input is much appreciated.

From the browser standpoint the best thing to do is verify the certificate when you are connecting to your bank and be sure you not the https. There are some tools and options, you could use to force https for certain domains. See the following: http://dev.chromium.org/sts

One other possibility, though it gets somewhat remote is a vulnerability in flash or javascript. To increase your browser security you could use addons like noscript, ghostery, and adblock plus. These will improve your browsing experience and help reduce the vulnerability window.

If your bank allows it, I would recommend changing both your user access name and your password. They already have your username and could theoretically regain your password in a matter of time. Part of what bothers me about your situation is that I would think that if there were too many failure attempts to login that there would be an automatic "ban" of the IP put in place, even a temporary one, and if this were to continue you would have been notified before this latest incident.

As far as checking your system, the Cert checklist I provided above contains the necessary steps to audit. This will involve looking for hidden and modified files. You will want to see what system files have been modified and verify those against the package libraries. You should also look carefully at the output of the following commands (borrowed from a post by unSpawn) that will compile the data to be examined into a file for analysis:
Consider running your logs through logwatch to look for anomalous entries or go through them by hand, or by both.

Normally, I would not recommend this and I would most definitely recommend performing an investigation first, but given the severity of what is happening you may want to save your personal data off of this machine and perform a wipe and re-install. If you do decide to go this route, please perform the above investigation first and report back with any suspicious information that you need help with.

How much do you trust your workmates? A hardware keylogger is a possibility. e.g.http://www.keyghost.com/USB-Keylogger.htm

Obviously, the first thing that you need to do ... and, I surmise, that you have already done ... is to call your bank. Once they are aware that your login credentials have been compromised, they can shut-down all attempts to use them, and they can even reverse the transactions that were made ... because you assert that they are fraudulent.

In other words: don't panic. Sure, to you "it's money," but to your bank (and to all the other banks worldwide, including the crook's), it's merely transactions. If the transaction is alleged to be fraudulent, it can be "rolled back."

Generally weak passwords / not changed coupled with compromised software on your side.

It could also be that the phone call is phishing but be sure to call them back to verify.

When you use banking online be sure to check security. Change your passwords often and use strong hacker resistant ones. Free online password generators may or may not be a good place either to use. Create your own.

Use live cd's maybe. Linux is not hacker proof.