Wednesday, August 10, 2005

Spyware Researchers Discover ID Theft Ring

Spyware researchers picking apart one of the more notorious spyware programs have stumbled upon what appears to be a massive identity theft ring hijacking confidential data from millions of infected computers.

Sunbelt Software Inc., makers of the enterprise-grade CounterSpy spyware protection product, made the discovery during an audit of "CoolWebSearch," a program that routinely hijacks Web searchers, browser home pages and other Internet Explorer settings.

During the research, Sunbelt researcher Patrick Jordan deliberately installed the "CoolWebSearch" application on a machine and immediately noticed that the infected system became a spam zombie that was placing callbacks to a remote server.

When Jordan visited the remote server, he was shocked to find that it was being used to distribute sensitive personal information from millions of PC users infected by the spyware application.

"We found the keylogger transcript files that are being uploaded to the servers. We're talking real spyware stuff…chat sessions, usernames, passwords, bank account information, full names, addresses," said Sunbelt president Alex Eckelberry.

In an interview with Ziff Davis Internet News, Eckelberry said the sophistication of the operation suggests it's the work of a "massive identity theft ring" that used keystroke loggers to grab confidential information that could be used to create fake online identities.

"I'm not being dramatic. This is the most repulsive thing I've ever seen. It's very painful to see what's in these log files that are being uploaded in real time. We're seeing a lot of bank information and usernames and passwords to get in," Eckelberry said.

He said the log files included logins to one business bank account with more than $350,000 and another small company in California with over $11,000, readily accessible.

"There are lots of eBay account information and names and addresses of the people owning those accounts. Names, passwords, all matched up," Eckelberry added.

He said the server, which is hosted out of a data center in Texas, was effectively a "massive repository of stolen data" that was being replenished in real time.

"As the [log] file gets to a certain size, it gets taken down and a new file starts generating. This goes on nonstop. We've been watching it for a few days while trying to get to the FBI, and it just keeps growing and growing."

While the site is being hosted in the United States, Eckelberry said the domain name is registered to an offshore company.

Eckelberry said the huge size of the log files is a clear indication that thousands of machines are pinging back daily.

In some cases, where users appeared to be at immediate risk of losing a considerable amount of money, Sunbelt has contacted the affected individuals.

Eckelberry said the "CoolWebSearch" payload included a typical adware download that immediately scanned the infected machine for e-mails to use for spam runs. It then sets up a "very intelligent keylogger" that looks for very specific information.

"This won't get caught by a typical anti-spyware application," he said, noting that the keystroke logger was able to pick up identity-related data for delivery to the remote server.

Anti-virus vendor Trend Micro Inc. provides a free online scanning tool that detects and deletes the "CoolWebSearch" application.

The tool is available for the Microsoft Windows XP, Windows 2000, Windows Millenium Edition and Windows 98 operating systems.