Another Identity Theft story
Wednesday October 25, 2006 at 7:02 pm CST
Posted by Francois Paget
Two weeks ago, I discussed with you about a Trojan from the Backdoor-BAC family. On the same day, the MET (UK Metropolitan Police Service) announced they were investigating data recovered from a computer in the United State. It contained personal information from hacked machines located in the United Kingdom that were infected by a variant of this malware family. In another news dated October 24th, Computerworld write about identity theft fraud concerning more than 8500 victims in over 60 countries. Among these countries France is mentioned.
As I worked with my German Avert Lab colleague on this issue, I can go into more details. After the backdoor was implemented on the target computer, it transmitted to a remote Web server the e-mails sent by the victim along with their mailbox usernames and passwords. It also caught any on-line transaction (ISP connection, banks and other on-line services like Amazon.com) whenever an HTTPS transaction was executed. The Trojan sent screenshots (jpg format) and user’s keystrokes (txt format) to a collector Web site.
We were able to reach the Web server dedicated to the data collecttion. It held more than 850,000 files representing 4.5 Gb of information. The whole of the data was conscientiously classified by countries. The « France » directory contained 643 files for 4 distinct people. Like my colleagues, I transmitted these data to the French Authorities on October 16th. They alerted the victims the same day.
The next screenshots are an example related to a bank on-line transaction. The jpg file allows the criminal to know the bank account. With the txt file, they can find the password.
This identity theft network was controlled via Web-based techniques. The compromised PCs connected themselves to a master site to receive their commands as well as the location to send stolen data and the password to reach this server. They were also able to update themselves by downloading new pieces of code.
We receive each week hundreds of malicious code samples. Usually we are only able to add detection for them ionto our DATs. In this case we were are able to utilize the information to help the victim. This happens rarely and should remind all of us to stay vigilent.