08.07.05
“Staggering” Identity Theft Ring Discovered Over the Weekend
A Florida-based software company discovered a server containing personal information, including bank account information and social security numbers, from thousands of computers across the country. Obtained through the use of spyware, the data on that server apparently has been, at the least, accessed by identity thieves.
The company responsible for the discovery, Sunbelt Software, creates anti-spyware programs for computers and was doing research on a spyware program known as CoolWebSearch (CWS) when the server was found. On August 4, 2005, the senior Sunbelt researcher, Patrick Jordan, infected a test computer with CWS then noticed that the system has been converted into a spam zombie (meaning the computer is being remotely used to send out spam messages) and was contacting a remote server. Jordan tracked the server and was astounded by what he uncovered. Sunbelt’s president, Alex Eckleberry, said of Jordan’s discovery: “Patrick is a veteran of spyware, and even he admits to never having seen something like this before. It’s pretty staggering.”(see SpywareWarrior)
The server contained an enormous amount of personal information that had been collected through the use of a keylogger which recorded every key stroke made by the users. This information contained bank account numbers, birth dates, social security numbers, user names and passwords, ebay account information, credit card numbers, even entire chat room and instant message conversations. The server also held details about one family’s vacation plans and lists of pornographic web sites visited by users.
When Jordan and the Sunbelt staff investigated the server further, they found that all of the incoming information was being neatly organized into separate files that were growing at incredible rates. Thousands of computers were reporting back to the remote server daily and adding new information to the files without the users even being aware of a problem.
The victims were not all individuals either. For example, the computer contained information for one business’s bank account that contained over $350,000. All of the data needed to access that chunk of money was available for the taking by any identity thief.
Also, the victims don’t seem to be limited to any one geographical area either. One California business appeared on the server, along with the information that the firm had $11,000 of cash readily available. All of the personal information for a family in Arizona, whose patriarch had just undergone open-heart surgery, was also on the server. The server itself is located in the United States, according to Sunbelt, but the domain is registered in China which may make it more difficult to track down the responsible parties. Both the FBI and the Secret Service are in contact with Sunbelt and are investigating the situation.
Although Sunbelt’s research staff discovered the server while studying a CWS variant, Eckleberry stated in his blog on August 6, 2005 that they were still trying to determine whether the problem was directly related to CWS. CWS is a scumware/Trojan hybrid, which usually pretends to be a harmless program while redirecting users to affiliate sites. Currently, there are more than 1,000 sites affiliated with CWS. Computers can be infected by CWS through pop-up ads without the user’s knowledge. Once infected, computers can begin to experience a wide variety of problems, including unwanted additions to the “Favorites” list, Internet Explorer slowdowns, and altered home pages.
Computer users can protect themselves against CWS in the following ways:
- By using an additional firewall – The firewalls on most routers and provided through Microsoft XP do not prevent information from leaving computers. A firewall that stops both incoming and outgoing information is a necessity.
- By staying up-to-date with security updates through the Microsoft web site – CWS and many other spyware programs access computers because of “security holes” in Microsoft’s products. Updates are made available to patch these holes and to keep Microsoft users’ secure.
- By using a pop-up blocker – Because CWS infiltrates computers through pop-up ads, the best way to stop an infection is to block the ads from appearing on the computer in the first place.