Spyware Researchers Discover ID Theft Ring

Discussion in 'Backup and Security' started by Eli's A Comin, Aug 9, 2005.

  1. Check your computers for "CoolWebSearch"!

    http://news.yahoo.com/s/zd/157623;_...H16Z6ys0NUE;_ylu=X3oDMTA3ODdxdHBhBHNlYwM5NjQ-

    http://www.eweek.com/article2/0,1895,1845248,00.asp

    Spyware researchers picking apart one of the more notorious spyware programs have stumbled upon what appears to be a massive identity theft ring hijacking confidential data from millions of infected computers.

    Sunbelt Software Inc., makers of the enterprise-grade CounterSpy spyware protection product, made the discovery during an audit of "CoolWebSearch," a program that routinely hijacks Web searchers, browser home pages and other Internet Explorer settings.

    During the research, Sunbelt researcher Patrick Jordan deliberately installed the "CoolWebSearch application on a machine and immediately noticed that the infected system became a spam zombie that was placing callbacks to a remote server.

    When Jordan visited the remote server, he was shocked to find that it was being used to distribute sensitive personal information from millions of PC users infected by the spyware application.

    "We found the keylogger transcript files that are being uploaded to the servers. We're talking real spyware stuff…chat sessions, usernames, passwords, bank account information, full names, addresses," said Sunbelt president Alex Eckelberry.

    He said the log files included logins to one business bank account with more than $350,000 and another small company in California with over $11,000, readily accessible.

    While the site is being hosted in the United States, Eckelberry said the domain name is registered to an offshore company.

    Eckelberry said the huge size of the log files is a clear indication that thousands of machines are pinging back daily.

    This won't get caught by a typical anti-spyware application," he said, noting that the keystroke logger was able to pick up identity-related data for delivery to the remote server.

    :eek: