Browser hijacked at a bank

The Network: A holding company that provides commercial and consumer banking. Their IT team is supplemented by SIEMphonic, EventTracker’s co-managed security solution.

The Expectation: Robust and up-to-date (anti-virus, next-gen firewall) prevention mechanisms thwart most common attacks, but since perfect protection is not practical, monitoring is also necessary. Employees have been trained and can be counted on to make good decisions.

The Catch: EventTracker analysts observed that a desktop user caused Internet Explorer (iexplore.exe) to launch an EXE named FromDocToPDF.2631f7c9f8f84cb497cd6a4015c9ddaa.exe.

The Find: This adware hijacks the browser. The homepage is changed to http://home.tb.ask.com and replaces the browser’s default search settings to “Ask.com”. A toolbar is also installed in the browser that delivers unwanted and potentially malicious advertising each time the browser is opened. The user was reading an article and thought that by clicking the link, she would be able to print it; instead she wound up installing this adware. The IT team followed the instructions here to remove this adware toolbar.

The Lesson: A reminder to us all to be aware – things aren’t always as they seem!