Confirm Action

Are you sure you wish to do this?

Confirm Cancel
Member Login
Site Notices
9/22/2017 12:11:25 AM
Posted: 8/9/2005 12:59:17 PM EDT
Spyware Researchers Discover ID Theft Ring

By Ryan Naraine
August 8, 2005

Spyware researchers picking apart one of the more notorious spyware programs have stumbled upon what appears to be a massive identity theft ring hijacking confidential data from millions of infected computers.

Sunbelt Software Inc., makers of the enterprise-grade CounterSpy spyware protection product, made the discovery during an audit of "CoolWebSearch," a program that routinely hijacks Web searchers, browser home pages and other Internet Explorer settings.

During the research, Sunbelt researcher Patrick Jordan deliberately installed the "CoolWebSearch application on a machine and immediately noticed that the infected system became a spam zombie that was placing callbacks to a remote server.

When Jordan visited the remote server, he was shocked to find that it was being used to distribute sensitive personal information from millions of PC users infected by the spyware application.

"We found the keylogger transcript files that are being uploaded to the servers. We're talking real spyware stuff…chat sessions, usernames, passwords, bank account information, full names, addresses," said Sunbelt president Alex Eckelberry.

In an interview with Ziff Davis Internet News, Eckelberry said the sophistication of the operation suggests it's the work of a "massive identity theft ring" that used keystroke loggers to grab confidential information that could be used to create fake online identities.

"I'm not being dramatic. This is the most repulsive thing I've ever seen. It's very painful to see what's in these log files that are being uploaded in real time. We're seeing a lot of bank information and usernames and passwords to get in," Eckelberry said.

He said the log files included logins to one business bank account with more than $350,000 and another small company in California with over $11,000, readily accessible.

"There are lots of eBay account information and names and addresses of the people owning those accounts. Names, passwords, all matched up," Eckelberry added.

He said the server, which is hosted out of a data center in Texas, was effectively a "massive repository of stolen data" that was being replenished in real time.

"As the [log] file gets to a certain size, it gets taken down and a new file starts generating. This goes on nonstop. We've been watching it for a few days while trying to get to the FBI, and it just keeps growing and growing."

While the site is being hosted in the United States, Eckelberry said the domain name is registered to an offshore company.

Eckelberry said the huge size of the log files is a clear indication that thousands of machines are pinging back daily.

In some cases, where users appeared to be at immediate risk of losing a considerable amount of money, Sunbelt has contacted the affected individuals.

Eckelberry said the "CoolWebSearch" payload included a typical adware download that immediately scanned the infected machine for e-mails to use for spam runs. It then sets up a "very intelligent keylogger" that looks for very specific information.

"This won't get caught by a typical anti-spyware application," he said, noting that the keystroke logger was able to pick up identity-related data for delivery to the remote server.

Anti-virus vendor Trend Micro Inc. provides a free online scanning tool that detects and deletes the "CoolWebSearch" application.

The tool is available for the Microsoft Windows XP, Windows 2000, Windows Millenium Edition and Windows 98 operating systems.

Link Posted: 8/9/2005 1:03:26 PM EDT
So are the owners of the company that makes Cool Web Search going to Federal pound-me-in-the-ass prison, or are they all in Nigeria or something?
Link Posted: 8/9/2005 1:06:53 PM EDT
Just f'ing great. I wish I had a nickel for every time spybot S&D took that coolweb search off of my computer.

Bout time.
Link Posted: 8/9/2005 1:11:44 PM EDT

Thanks for the post.
Link Posted: 8/9/2005 1:15:05 PM EDT
I wish someone would hunt down these low life dogs ang give them what they have comming to them. I can't say what that is because I will be banned if I do.
Link Posted: 8/9/2005 1:22:08 PM EDT
A good reason to always run Spybot and Spybot-Teatimer(monitors the system registery), and Adaware to get rid of those spyware, they are not as innocuous as they look.

BTW: The internet browser Opera loaded on some spyware after their last update. So now I don't use their browser anymore.
Link Posted: 8/9/2005 1:26:03 PM EDT
Dupity dupe!

Link Posted: 8/9/2005 1:27:04 PM EDT
Link Posted: 8/9/2005 1:32:01 PM EDT
I had that shit on my computer. But only had like $12 in my bank. Couldn't get rid of the damn thing except for reformating my hard drive.
Link Posted: 8/9/2005 1:33:37 PM EDT
jobrelatedstuff is not part of AR15.com, it's McUzi's web page.

Originally Posted By BigDozer66:
Dupity dupe!


Link Posted: 8/9/2005 1:38:06 PM EDT

Originally Posted By BigDozer66:
Dupity dupe!


Who cares? Some of us don't spend 24 hours a day here, and miss the first go-round.
Link Posted: 8/9/2005 1:45:59 PM EDT
So if you run spybot and Ad aware on a regular basis you should be OK?
Link Posted: 8/9/2005 2:01:49 PM EDT

Originally Posted By Jm03:
So if you run spybot and Ad aware on a regular basis you should be OK?

Like MrPink123, I could only get rid of this by reformating my hard drive and installing a mirror image back onto it. It's a tenacious little fugger. Multiple scans and deletes do NOT mean that it's gone.

I used HiJackThis, Adaware, Spybot S&D and Webroot's Spysweeper. the only thing that really protected my computer was a reformat and an immediate install of Spysweeper.
Link Posted: 8/9/2005 2:09:03 PM EDT
tweeter: I think if you install a registery monitoring software such as Spybot's TeaTimer, you shouldn't need to go thru the extremes of reformating your harddisk. The system will warn you that the registery is about to be change yes/no, and of course you answer "NO." and they just go away.
Top Top