Security vendor warns of massive ID theft ring

By Bill Brenner, News Writer 08 Aug 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

A Clearwater, Fla.-based antispyware vendor says it has stumbled upon what could be a massive identity theft ring that uses spyware-infected machines to collect personal data. The company says it has contacted the FBI and Secret Service and that both have begun investigations.

Sunbelt Software CEO Alex Eckelberry said on the firm's activity blog that keylogging software is being used to collect user IDs, passwords, bank account balances and other personal information. The information is being dumped on a server located somewhere in the United States.

"Here is a quick idea of what happened: Patrick Jordan, our most senior CoolWebSearch (CWS) expert, was doing

More on spyware Experts weigh in on spyware's defining moment Read our series, "Spyware: Black and White" Part 1: A wolf in sheep's clothing Part 2: Who best to define spyware?

research on a CWS exploit," he said in one blog entry. "During the course of infecting a machine, he discovered that a) the machine he was testing became a spam zombie and b) he noticed a call back to a remote server. He traced back the remote server and found an incredibly sophisticated criminal identity theft ring… We are still trying to ascertain whether or not this is directly related to CWS."

He said the scale of the operation is "unimaginable" with thousands of machines pinging back daily. He said there's a keylogger file on the server "that grows and grows, and then is zipped off and then the cycle continues again." He added, "While thousands of machines are pinging back, the amount that [is] being logged into the keylogger file is less than that, but still significant. The server is in the U.S. but the domain is registered to an offshore entity. The types of data in this file are pretty sickening to watch. You have IM chat sessions, search terms, Social Security numbers, credit cards, logins and passwords, etc."

Eric Sites, Sunbelt's VP of research and development, said he couldn't offer more detail on how the server was found or where it's located because doing so might compromise the investigation. But he said the FBI and Secret Service are reviewing Sunbelt's findings. At the time of writing, the FBI had not returned a phone call seeking confirmation of the investigation.

Sites said the ID theft effort involves the use of Trojan horse programs as well as keyloggers. Both are considered to be among the most insidious forms of spyware. He added that the hacker involved is going back to the server every couple days to download information stored there by thousands of zombie machines.

He added that different variants of the Trojan have been found. "This Trojan is totally geared for ID theft," Sites said. He wouldn't name the specific Trojan, saying, "We don't want to tip anyone off."

Information found on the server includes the $380,000 bank account balance of an African company and the $11,500 bank account balance of a California business. "We've called companies like this and told them of the compromise," Sites said.

Tags: Identity Theft and Data Security Breaches,  Malware, Viruses, Trojans and Spyware,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Theft and Data Security Breaches Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy Security expert's PCI analysis misguided, says PCI Council GM External attacks start with unintentional mistakes, survey finds Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary