[ISN] The computer spy that steals your passwords and credit details

From: InfoSec News (alerts@private)
Date: Mon Sep 04 2006 - 22:31:47 PDT


http://www.timesonline.co.uk/article/0,,2087-2340545,00.html

By Anna Mikhailova and Jon Ungoed-Thomas
The Sunday Times  	
September 03, 2006

ABOUT three weeks ago, Cheryl Lambert bought a £179 surfboard on eBay 
for her daughter. Soon after, she noticed her computer started to 
behave erratically and within a few days it had ground to a halt.

"It just completely crashed," said Lambert, 38, a community worker who 
lives in Helston, Cornwall. "The anti-virus software was saying the 
computer was infected, but it just couldn't fight it. The computer got 
slower and slower and then it just stopped."

A few days after her desktop machine was unplugged from the internet, 
Lambert's personal details appeared on a Russian website.

Her home phone number, her address, her credit card number and her 
e-mail address with Tesco were all listed on a forum where criminals 
and computer hackers trade stolen identities. Lambert cancelled her 
gold Lloyds TSB card when she was alerted by The Sunday Times to what 
had happened, but one fraudulent transaction for £10.70 had already 
been made.

Lambert is believed to have fallen victim to malicious "trojan" 
software. This can be unwittingly downloaded from an e-mail attachment 
or website and then quietly records details of passwords, security 
codes and credit card numbers used on secure websites. The information 
is relayed back to the author of the malicious software.

The Russian website that posted Lambert's details, www.carder.info, is 
one of a network of sites which trade in stolen identities. Thousands 
of passwords for e-mail accounts, security numbers for credit cards 
and access codes for shopping websites are offered for sale online 
after being "harvested" from trojan software.

In a four-week investigation a Sunday Times reporter approached users 
on Russian websites who were offering stolen identities for sale. The 
site includes a step-by-step guide to stealing identities and using 
the information without detection.

The reporter was offered stolen data on British citizens ranging in 
price from $2 to $5 per person. She requested a free sample and at 
11.50pm on August 23 the details of more than 30 individuals were 
posted online, 13 of whom were British.

Max Haffenden, 27, an IT worker from Bexhill-on-Sea in East Sussex, 
was among those on the list and he confirmed last week that The Sunday 
Times had obtained his secret password from the Russian website. He 
uses the password - which has now been cancelled - for his personal 
Yahoo! e-mail account, payment transfers using PayPal and online 
shopping accounts.

"I am amazed someone could have got access to these details," he said. 
"I have a good idea of how computers work and how to be as secure as 
possible. I only trust a site with my details if it has a "padlock" to 
show it is a secure server."

Haffenden, who used a computer firewall and anti-virus software, said 
his computer's systems alerted him to malicious software, which he 
said might have been a trojan, about a year ago. He was unable to fix 
the problem but said it did not affect the performance of his 
computer.

Others on the list said there had been no apparent problems with their 
machines. Nick Riches, 40, from Basingstoke in Hampshire, who also 
works in the computer industry, was among those targeted. He confirmed 
his "standard secure password" had been obtained by the Russian 
website, along with his Hotmail access, his home address and details 
of a NatWest card. He said he regularly scanned his computer for 
viruses but had not been aware of any malicious software.

There was evidence last week that the fraudsters had already used some 
of the personal data to steal money. Cards belonging to Haffenden and 
Riches had been used without their permission on an internet gambling 
site, Unibet, in the past month with payments of £400 and £512.50.

Stolen data offered on foreign websites is usually obtained from 
hacking into the database of an online company to obtain customers'
details or from infiltrating a personal computer.

While nearly all computer users are alert to the threat from viruses, 
many are unaware of trojans, which can covertly install themselves via 
a website or e-mail attachment.

Carole Theriault, senior security consultant at Sophos, an internet 
security company, said: "Viruses basically had bells and whistles to 
say "we've got you" and spread rapidly around the internet. Trojans 
are very different. They don't spread on their own and may not even 
affect the performance of your computer, but when you go on sites like 
eBay or check your account online, they can record the keys you press.

"About 70% of the reports of new threats of malicious software are 
trojans. The people who send them out don't hit so many computers 
because they don't want to make the headlines."

Theriault said that a firewall and regularly updated anti-virus 
software would help reduce the threat from trojans, but there was no 
100% solution. "It's like driving a car," she said. "There's always a 
risk. You just have to do everything you can to reduce it."

One of the problems is that some trojans are not always identified by 
anti-virus software. One trojan, called A311 Death or Haxdoor, has 
infected an estimated 35,000 computers worldwide, including 10,000 in 
Australia.

A warning from the Australian Computer Emergency Response Team stated: 
"If your computer is already compromised with an input/output 
monitoring trojan, SSL (encryption) cannot prevent the trojan from 
capturing web form data, keystrokes, and passwords."

In the UK many people are unaware of the threat. An official Home 
Office leaflet providing advice on identity theft does not even 
mention the importance of computer security. The government does, 
however, support a website, Get Safe Online, which provides 
information on protecting a home computer.

Despite the warnings and security software available, obtaining 
personal data stolen from British computers is easy. It is also cheap, 
with passwords being traded online for as little as £1.

Using an internet Cyrillic keyboard to enter the word "carding" on the 
Google search engine, a Russian-speaking Sunday Times reporter was 
presented with an array of sites offering stolen data and bogus 
identity documents.

One website - called carders0.tripod.com - had a virtual shopping 
basket of identity fraud, with "buy now" icons next to every item. The 
products on sale included credit cards - both fake and real - driving 
licences, travellers' cheques, fake passports and machines to make 
credit cards. The site included starter packs for fledgling fraudsters 
as well.

The same site also offered a service called Rebirth in which visitors 
were offered the chance to "buy a whole new identity from Britain or 
Ireland". Costing £13,000, the package offered a new passport and a 
birth certificate. The Sunday Times was unable to confirm whether 
genuine documents would be exchanged for an online payment.

At the lower end of the scale, a range of websites offered stolen data 
that could be used to access subscription services, pay for goods 
online or transfer funds. Some of the data are even posted for free as 
samples to interested buyers. After using the data, one user of 
www.carder.info commented on the website: "Thanks, found some valid 
stuff. Put up more."

The batch of stolen data provided to the reporter included passwords 
for e-mail accounts, credit card numbers and home telephone numbers of 
people in Bishop's Stortford in Hertfordshire, Spalding in 
Lincolnshire, Blackpool, Hartlepool and Glasgow.

A week after the reporter was given the sample, she was able to 
retrieve the passwords for the PayPal accounts of 19 Britons from the 
site. The information would enable fraudsters to gain access to 
accounts and transfer funds.

The www.carder.info site is registered to 340 Pushkinskaya in Moscow. 
The house number does not exist. The Russian-based company that hosts 
the site, Net of National Telecommunications, would not comment last 
week, but is understood to be in contact with police about any 
suspected illegal transactions.

Lennart Ehlinger, group security controller for the London-based 
Unibet, said it was difficult to detect fraudulent use of credit cards 
if the fraudster was able to provide a security code, number and home 
address.

A spokesman for Apacs, the UK payments association, said hackers who 
stole personal information often evaded detection by using a network 
of foreign websites.

A spokesman for PayPal said its servers were secure, but information 
on passwords was sometimes compromised by trojan software and 
"phishing", which uses spoof websites to obtain user information.

Additional reporting: Mark Franchetti in Moscow

-=-

HOW TO STAY SAFE ONLINE

The risks can never be wholly eliminated, but experts recommend:

* Never go online without first ensuring your computer is protected 
  with a firewall and anti-virus software. An unprotected computer is 
  on average infected within 12 minutes of being plugged into the 
  internet, according to research by Sophos, the computer security 
  company.

* Always make sure you have the latest anti-virus software, which is 
  regularly updated. Use software such as McAfee (uk.mcafee.com) or 
  Norton (www.symantec.com). It costs money, but is recommended for 
  safer surfing.

* Consider installing software that scans your system for downloads 
  that secretly monitor your computer use. Products such as Spybot 
  Search & Destroy (www.safer-networking.org) can be downloaded free.

* Never download software from unknown sites. The downloads can 
  harbour trojans. Similarly, never open e-mail attachments from 
  unknown sources.

* When entering details on a banking website or payment service, such 
  as PayPal, carefully check the website address. A trojan can direct 
  a computer to a spoof site.

* If your computer is performing erratically or slowing down, then 
  scan it with anti-virus software.



_________________________________
HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/



This archive was generated by hypermail 2.1.3 : Mon Sep 04 2006 - 22:43:38 PDT