Network News

X My Profile
View More Activity

A Fresh Look at Password Thieves

Security Fix recently published information about thousands of U.S. residents whose passwords and other data had been stolen by nefarious hackers.

Last week, I received more data about the number of victims caused by the hackers' Trojan horse computer program and more details about the complexity of the attack.

I originally reported there were about 3,220 victims scattered throughout the United States. After reading the story, a security officer at a financial institution notified me that he has been monitoring this same trove of stolen data since its inception. I've agreed not to name the individual or his employer.

According to his data, the attackers have been running this operation since at least October 2006. That is when they began exploiting an unpatched vulnerability in Microsoft Windows PCs. Microsoft issued a patch for the flaw a few weeks later that month.

While he was unable to confirm more than 3,200 current, active victims, the data he collected suggests that the criminals have stolen data from at least 10 times that number of machines since December, according to the statistics page used by the criminals. As the graphic shows, the stats page showing the total number of compromised systems was reset in November.

The financial industry source also offered some compelling information about the complexity of the scammers' network with this graphic depicting the relationship between the Web-based components used to conduct this attack. It appears to employ an endless supply of new Web servers when law enforcers shutter active servers.

Shortly after one of the main infection servers was closed another one popped up to replace it. Prominently placed atop the main parent directory that stored stolen data was the taunting message "o snova obratno," which appears to loosely translate in Russian to "I'm back again."

Many readers have asked whether this particular invader has a name: it's called the VisualBreeze or "Vbriz" Trojan. It's also known as "Dimpy.Win32VB." Sunbelt Software has a write-up on some of its most interesting features.

As of December 2006, here's a very conservative snapshot of the number of accounts stolen by this criminal gang:

Bank logins
Wachovia 237
Wells Fargo 483
Bank of America 953
CitiBank 297
WaMu 296
SunTrust 49
MiBank 6 2
BBVAnet 1

Web mail logins:
Yahoo 4,907
Google 820

As nasty as this whole enterprise appears, it may in fact reside at the lower end of the technical sophistication scale, at least compared to some of the more recent keylogger networks such as those created by the "Gozi" Trojan. Researchers at Atlanta-based SecureWorks discovered that virus. Their write-up contains some technical analyses, but scroll down toward the end for the most troubling bits. SecureWorks found that the total black market value of the data stolen by groups using the Trojan exceeds $2 million. The researchers found that the group offering the Trojan also offered full-service support for getting the Trojan and associated fraud networks operational, for a price.

By Brian Krebs  |  March 23, 2007; 3:19 PM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Online Trading Firms to Swap Fraud Tips
Next: They Say They Want a Revolution


I finally got Trend Micro's free virus scan to work. Here are a few tips, you have to reduce your security settings for IE to medium or it will crash, remove any DVDs from the drive or it will significantly increase your scan time, or choose selective scan and only select your C drive.

Trend Micro did find a few things on my computer, a couple of cookies, one spyware program, and one trojan. Trend Micro did crash when trying to clean these, but at least it hung up while still allowing me to copy the locations. Three of the programs were in the temp files, which can be wiped clean thoroughly with the CC cleaner program, and I thought the trojan would be a false positive, as has happened numerous times before. It was not.

I found it located in the registry so it would re-load each time I rebooted my computer. It also had a folder in C/Programs. It loaded a freeware password recovery program from, but I am not sure it was able to get passed the firewall and send information out.

Anwyays, now I have run all of the virus and spyware scans I can find, I am going to reset all of the passwords and start over. I am running out of passwords I can easily remember.

Posted by: PJ | March 25, 2007 2:19 PM | Report abuse

I would just like to say that I don't read the newspaper that often, but Brian Krebs' blogs and articles really are informative, and I look forward to getting my Washington Post Securityfix e-mails to read here in Austin, Texas. Keep'em coming Brian, and thanks for all your hard facts and research on what's going on in the tech world!

Posted by: Donovan Scott | March 26, 2007 9:39 AM | Report abuse

The breaches range over all kinds of in-advanced scamming. I mean phishing is just mimicking of another site. While it can be rather convincing it does not take a large amount of technology to pull it off. Phishing meanwhile nets so many passwords and account numbers everyday.

Posted by: Michael | March 26, 2007 12:22 PM | Report abuse

Just a thank to you, Brian, for all your weeding out of the "bad guys'" tricks of the trade. My computer knowledge keeps increasing due to your expertise.

Posted by: Susan C. Dawson | March 26, 2007 12:40 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company