[ISN] Huge ID theft ring affects at least 50 banks

[InfoSec News]

http://software.silicon.com/security/0,39024655,39151163,00.htm

By Ingrid Marson
9 August 2005

A major identity theft ring discovered last week has affected the
customers of at least 50 banks, according to Sunbelt Software, the
security firm that uncovered the operation.

The operation, which is thought to be under investigation by the FBI
and Secret Service, is currently gathering personal data from
compromised machines and sending them to a server where they are saved
in a file.

Sunbelt Software said on Monday that in the two days it has been
monitoring the file it has seen confidential financial details of the
customers of the Bank of America, PayPal and up to 50 international
banks, according to Eric Sites, the vice president of research and
development at Sunbelt.

Sites said: "For almost every bank that is listed [in the file], it's
possible to get into the person's account."

As well as passwords for online banking sites, information on credit
cards has also been gathered. Sites said that Sunbelt had found one
customer's credit card number, expiry date and security code as well
as their name and address, which would allow anyone to use their
credit card.

The data theft was initially reported to be carried out by a modified
variant of a spyware application, called CoolWebSearch (CWS) but
Sunbelt has now found that the activities are carried out by a mail
zombie and a separate Trojan, which is downloaded at the same time as
CWS.

The malicious code is hosted on a website that mainly hosts
pornography, which Sites was unwilling to name. Users of Windows XP
who have not installed SP2 are particularly vulnerable as the code
will be automatically downloaded without the user's knowledge. Sunbelt
is currently investigating whether users of earlier Windows versions,
such as Windows 2000 and Windows ME, are also vulnerable.

"If you have an unpatched Windows machine, when you go to the URL it
will automatically download everything from the website, including the
Trojan. All you have to do is type in the URL and you're hosed," said
Sites.

The Trojan is a new variant, so antivirus and anti-spyware vendors do
not yet block it, according to Sites. Sunbelt plans to send
information on the Trojan to security firms as soon as possible.

The Trojan carries out keylogging, and also gathers information stored
by Internet Explorer's auto-complete function. This data includes any
information that has been typed into forms, including usernames and
passwords.

Two variants of the data-stealing Trojan have been found, one of which
sends data to a publicly available server, which is being monitored by
both Sunbelt and the Secret Service, according to Sites. He claimed
this server will not be shut down straight away so that the FBI and
Secret Service can track down the perpetrators.

Sunbelt believes the operation has only been running for a couple of
weeks and has affected a "couple of thousand machines", according to
Sites.

An FBI spokesperson was unable to confirm whether or not an
investigation was taking place.

Ingrid Marson writes for ZDNet UK