Posted on 08/06/2005 10:23:17 PM PDT by Ernest_at_the_Beach
Researchers from a little-known security software company named Sunbelt Software have seemingly uncovered a criminal identity theft ring of massive proportions. According to one of their employees, Alex Eckelberry, during the course of one of their recent investigations into a particular Spyware application—rumored to be called CoolWebSearch—they've discovered that the personal information of those "infected" was being captured and uploaded to a server.
One can only speculate about why someone would do such a thing; the amount of data that could be gathered would almost certainly be daunting for even a few people to sift through and exploit. On the other hand, the researchers at Sunbelt have personally uncovered the personal information of two individuals who, combined, could be taken for well over US$350,000.
The list of stolen information includes not only bank accounts but website passwords, eBay accounts, what sort of adult images you fancy, and, supposedly, even more. The researchers initially had tried in vain to get a hold of someone who could take action on this issue but didn't get a response right away:
We have notified the FBI, but of course no response (too busy doing other more important things). We have notified a few of the parties involved...If anyone has any other ideas, send 'em to us. Right now, we're sitting upon literally thousands of pages of stolen identities that are being used right now.
Good news came today, though, that the FBI had responded and are currently working the case. We've emailed Alex and tried to see if we could get any more details about the whole thing out of him, but at the time of publication, we had not received a response. Hopefully the people who've perpetrated this massive-scale theft of personal data can be quickly caught and brought to justice due to the quick actions of Alex Eckelberry and the researcher who discovered the crime, Patrick Jordan.
Updated (08/06/2005 4:24PM CDT): I've received a little bit more information on what's going on from the employees of Sunbelt Software. What follows is more or less the exact email I received from Alex Eckelberry:
Basically, it went like this:
Patrick Jordan, our CoolWebSearch expert, was doing research on a CWS exploit. During the course of the research, he disovered that a) the machine he was testing became a spam zombie and b) it send a call back to a remote server. He traced back the remote server and found what you have heard about.
The scale is unimaginable. There are thousands of machines pinging back in a day. There is a keylogger file that grows and grows, and then is zipped off and then the cycle continues again.
It is sophisticated. There are nifty little PHP scripts that help the criminals get reports. There is a special upload area.
Updated (08/06/2005 5:38PM CDT): Here's more information from Eric Sites, VP of R&D at Sunbelt:
While one of my spyware researchers was tracking down new variants of CoolWebSearch he came a cross a payload of crap that was downloaded to his VMware. This payload included a program that monitored the users internet traffic, chat activity and Windows protected storage store. When using Internet Explorer with autocomplete turned on, your autocomplete info gets stored in protected storage.
This piece ofspyware collected your protected storage info plus URLs, chat activity and website usernames and passwords. The real problem with this spyware was that it collected this information and posted it back to a public website that anyone could go to and read all of your personal information. Some examples of this include all the credit card info entered on HTML forms while purchasing something online. It did not matter that the webpage was using HTTPS.
This website had collected over 500 different computers very private information within a 24 hours period. Including chat activity and login info to online bank accounts. One company had over $380,000 in a compromised account. The information was not the normal info collected for hacking purposes. It was collected to steal your money, SSN, credit card info, address, and identity. We have already found two variants of this spyware with multiple locations for its stolen info upload. We are working with the FBI and Secret Service to track everything back to the source.
This article will be updated with any more information we receive or uncover about the ID theft incident.
[ Discuss ]
fyi
We use the Sunbelt product, "I hate Spam" for Exchange, at our office. Been pretty happy with it, funky name, good software.
bump
I am glad I moved most of my browsing to Linux.
Protect yourself...
http://www.intermute.com/products/cwshredder.html
The only way I have found to remove all of coolwebsearch.
Interesting, but this has been known for a long time and
there are already removers available.
Just do a google search "coolwebsearch" and you will
find over 158,000 hits. Its been known to be an exploit since 2003.
"Cool Web Search" is one of the most evil and toughest to kill forms of spyware. There are about a bazillion versions of this, because they (the programmers behind CWS) were actively working to stay ahead of those working on "Cool Web Shredder," and the load finally got so heavy that they gave up.
While most variants can be removed, I did have a client with a computer that was so heavily compromised with virus and spyware infections that I told them that the only safe thing to do was wipe the system and reinstall everything.
Mark
Cwshredder is a good start. Your best protection, I swear, stop using IE, find another browser.
Nat'l security project disquised as a scam operation?
That's ugly!
What's Ugly, my posting?
This is a new variant of CWS that is designed to flat out steal information. Prior version just kept tabs of what you did and went from an ad standpoint.
That thought did cross my mind.
The scary thing is, this could be a government operation.
my favorite line is: "What follows is more or less the exact"
Since the FBI was so lax about going after this and has been for so long then how do we know that they have not been the recipiants of any of this information...As in a secret patriot act.
I've read horror stories about CWS.
Spybot S&D can be set to innoculate against a huge amount of malware---including CWS.
And it's free!
:)
I'd be surprised if the FBI didn't care. I've had the exact opposite experiance.
You know my address. Get thee hence to my house. Now!
YOWZERS this is horrible!! Thanks for the ping!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.