X
Tap here to go to the mobile version of the site.
Your Firefox is out of date and may contain a security risk! Upgrade Firefox

Support Forum

My Firefox was hacked. How can I found out how?

Posted

I received an email that for all accounts, at first, seemed like it was only a phishing email. One problem. They sent it to a name/email combination that I ONLY used once-- with my Capitol One Credit Card account. In the body they also cited our complete address (the one used for our Capitol One account). I went to Capitol One, and sure enough they had charged my card 3 times in the previous week. Capitol One said they didn't hack my account with them. Mozilla Firefox is the ONLY browser I use with that account, so the only other possibility is Firefox.

HELP!

Additional System Details

Installed Plug-ins

  • Next Generation Java Plug-in 10.25.2 for Mozilla browsers
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • Shockwave Flash 11.7 r700
  • The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the QuickTime Web site.
  • Google Update
  • Adobe PDF Plug-In For Firefox and Netscape 10.1.7
  • The plugin allows you to have a better experience with Microsoft SharePoint
  • iTunes Detector Plug-in
  • A plugin to detect whether the Adobe Application Manager is installed on this machine.
  • NVIDIA 3D Vision plugin for Mozilla browsers
  • NVIDIA 3D Vision Streaming plugin for Mozilla browsers
  • Password Genie scriptable plugin (npruntime)
  • 5.1.20125.0
  • NPWLPG
  • Zeon PDF Plugin For Mozilla

Application

  • Firefox 22.0
  • User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0
  • Support URL: http://support.mozilla.org/1/firefox/22.0/WINNT/en-US/

Extensions

  • Troubleshooter 1.1a (troubleshooter@mozilla.org)
  • Adobe Acrobat - Create PDF 1.2 (web2pdfextension@web2pdf.adobedotcom) (Inactive)
  • Norton Toolbar 2013.4.1.2 ({2D3F3651-74B9-4795-BDEC-6DA2F431CB62}) (Inactive)
  • Norton Vulnerability Protection 11.3.0.9 - 5 ({BBDA0591-3099-440a-AA10-41764D9DB4DB}) (Inactive)
  • PasswordGenie Button Extension 4.0.20130416 (PasswordGenieButton@securitycoverage.com) (Inactive)
  • PasswordGenie Extension 4.0.20130416 (PasswordGenie@securitycoverage.com) (Inactive)

Javascript

  • incrementalGCEnabled: True

Graphics

  • adapterDescription: NVIDIA GeForce GT 620
  • adapterDescription2:
  • adapterDeviceID: 0x1049
  • adapterDeviceID2:
  • adapterDrivers: nvd3dumx,nvwgf2umx,nvwgf2umx nvd3dum,nvwgf2um,nvwgf2um
  • adapterDrivers2:
  • adapterRAM: 1023
  • adapterRAM2:
  • adapterVendorID: 0x10de
  • adapterVendorID2:
  • direct2DEnabled: True
  • directWriteEnabled: True
  • directWriteVersion: 6.2.9200.16433
  • driverDate: 3-14-2013
  • driverDate2:
  • driverVersion: 9.18.13.1422
  • driverVersion2:
  • info: {u'AzureCanvasBackend': u'direct2d', u'AzureFallbackCanvasBackend': u'cairo', u'AzureContentBackend': u'direct2d'}
  • isGPU2Active: False
  • numAcceleratedWindows: 1
  • numTotalWindows: 1
  • webglRenderer: Google Inc. -- ANGLE (NVIDIA GeForce GT 620)
  • windowLayerManagerType: Direct3D 10

Modified Preferences

  • browser.cache.disk.capacity: 358400
  • browser.cache.disk.smart_size.first_run: False
  • browser.cache.disk.smart_size.use_old_max: False
  • browser.cache.disk.smart_size_cached_value: 358400
  • browser.places.smartBookmarksVersion: 4
  • browser.startup.homepage: http://www.bing.com
  • browser.startup.homepage_override.buildID: 20130618035212
  • browser.startup.homepage_override.mstone: 22.0
  • extensions.lastAppVersion: 22.0
  • gfx.direct3d.last_used_feature_level_idx: 0
  • network.cookie.prefsMigrated: True
  • places.history.expiration.transient_current_max_pages: 104858
  • plugin.disable_full_page_plugin_for_types: application/pdf
  • plugin.importedState: True
  • privacy.sanitize.migrateFx3Prefs: True

Misc

  • User JS: No
  • Accessibility: No
Andrew
  • Top 25 Contributor
  • Moderator
251 solutions 3018 answers

Sometimes a problem with Firefox may be a result of malware installed on your computer, that you may not be aware of.

You can try these free programs to scan for malware, which work with your existing antivirus software:

Microsoft Security Essentials is a good permanent antivirus for Windows 7/Vista/XP if you don't already have one.


Further information can be found in the Troubleshoot Firefox issues caused by malware article.

Did this fix your problems? Please report back to us!

Question owner

I have the Full Norton Security Suite. Shouldn't that do it? Or not?

Andrew
  • Top 25 Contributor
  • Moderator
251 solutions 3018 answers

It's hard to say that Firefox was hacked because there are so many reasons why unauthorized charges were made.

epicoder 0 solutions 4 answers

Norton is not foolproof. It can't hurt to use some other tools to check as well. Seeing as your credit card has already been stolen and illegitimately used, I'd say you should be throwing anything and everything you can at this problem to prevent further damage to your credit and finances in general.

the-edmeister
  • Top 10 Contributor
  • Moderator
3197 solutions 24401 answers

Have you ever used a public WiFi connection to access that account?
How frequently do you change you password for that account?
Have you ever allowed someone else to use your PC in your own logon user account?

As far the Norton Security Suite, is it capable of detecting a key logger or discovering a root-kit infection? Anti-virus applications usually aren't capable of handling Malware, either.

jscher2000
  • Top 10 Contributor
2366 solutions 20923 answers

Helpful Reply

Were you storing the account password only in your head or did you save it in Firefox or in one of your extensions or in another password manager?

I'm not clear on how having the login compromised would lead to charges on your card, but I suppose someone with access to the account could extract the right information to use for purchases.

Question owner

The difference her is something fortunate that happened. Again, the email account and the name (my wife's) were ONLY used the one time in that combination, and that was to open the CC account. So while I understand, all things being equal... but I was able to narrow it down quickly, not to mention that Firefox is the ONLY browser I used to both look at the account and open it.

Helpful Reply

No I haven't used a public area to access the account. I have a VERY secure Cisco router and Network is local only. No wifi access. The account was only 3 weeks old, which again helped to narrow it down immediately. No One has access to my computer at all.

Thanks for your thoughtful responses. Keep 'em coming! Doc

Question owner

You got that right-epicoder. I'm ticked. Doc

Question owner

jscher2000 - Yes, Firefox did store it for me. Not in the master password product, but just the normal password fill program.

As far as your second point. I'm not exactly sure either how it happened either. My first instinct was that they hacked into Cap One. Because the email had our correct name and email and physical address. To get into the account to get the password for the account, the only way is through firefox, a keylogger, or malware, I guess. But I thought for sure that all the money I pay to Norton for extended security, because of my business interactions, that they would have something as relatively mundane as malware figured out and up to date. I don;t know.

thanks for your responses. Please continue to help me figure this out.

ANYONE, any thoughts on anything I could get from the email headers, IP tracing or the like?

And I don;t mean about finding the person, I'll leave that to Cap ONe and the police-- I mean as far as being able to discover my vulnerability?

Question owner

Here was a link they wanted me to follow. I looked it up on whois and they certainly have been found out, but anyone able to read the link and tell me what it means? Here it is DO NOT FOLLOW IT!!!!! DANGER DANGER DANGER DO NOT FOLLOW THE FOLLOWING LINK IT IS AN IDENTITY THIEF!!!!!!!!!!!!!!!!!!!!!!!!!!!

canadatravel(DOT)net/?rid=%68T%74%50://%2f%6a.%6d%50.%2f17NzCQD?yrvqkvovtncsltn

I put in the (dot) so that the link wouldn't be live.

Modified by DocGrimwig

jscher2000
  • Top 10 Contributor
2366 solutions 20923 answers

Hi DocGrimwig, the portion of the URL after the ? is used by the web server to redirect your query to a site you don't want to visit (doctoroz-weightloss{dot}com). My security software blocks it.

But what is the connection between this link and your card??

Question owner

The full text of the email is this:

[MY WIFE'S FULL NAME], Are you underwater? Sell your home fast. Get an immediate offer here: canadatravel(DOT)net/?rid=%68T%74%50://%2f%6a.%6d%50.%2f17NzCQD?yrvqkvovtncsltn


[OUR FULL ADDRESS WAS LOCATED HERE]

Of the 3 charges on our card, one of them was entitled this:

TWX CANADATRVL [A FAKE PHONE NUMBER] NY $2.00 (the amt of the charge)

OH and this is the Email from Address:

KarenxsWhitekw(at)roadrunner(DOT)com

Modified by DocGrimwig

jscher2000
  • Top 10 Contributor
2366 solutions 20923 answers

Not sure what happened there. Did they have your email before charging your card? Wouldn't they prefer to just do it quietly instead of coming back for more?? Very odd.