A Fresh Look at Password Thieves
Security Fix recently published information about thousands of U.S. residents whose passwords and other data had been stolen by nefarious hackers.
Last week, I received more data about the number of victims caused by the hackers' Trojan horse computer program and more details about the complexity of the attack.
I originally reported there were about 3,220 victims scattered throughout the United States. After reading the story, a security officer at a financial institution notified me that he has been monitoring this same trove of stolen data since its inception. I've agreed not to name the individual or his employer.
According to his data, the attackers have been running this operation since at least October 2006. That is when they began exploiting an unpatched vulnerability in Microsoft Windows PCs. Microsoft issued a patch for the flaw a few weeks later that month.
While he was unable to confirm more than 3,200 current, active victims, the data he collected suggests that the criminals have stolen data from at least 10 times that number of machines since December, according to the statistics page used by the criminals. As the graphic shows, the stats page showing the total number of compromised systems was reset in November.
The financial industry source also offered some compelling information about the complexity of the scammers' network with this graphic depicting the relationship between the Web-based components used to conduct this attack. It appears to employ an endless supply of new Web servers when law enforcers shutter active servers.
Shortly after one of the main infection servers was closed another one popped up to replace it. Prominently placed atop the main parent directory that stored stolen data was the taunting message "o snova obratno," which appears to loosely translate in Russian to "I'm back again."
Many readers have asked whether this particular invader has a name: it's called the VisualBreeze or "Vbriz" Trojan. It's also known as "Dimpy.Win32VB." Sunbelt Software has a write-up on some of its most interesting features.
As of December 2006, here's a very conservative snapshot of the number of accounts stolen by this criminal gang:
Wells Fargo 483
Bank of America 953
Web mail logins:
As nasty as this whole enterprise appears, it may in fact reside at the lower end of the technical sophistication scale, at least compared to some of the more recent keylogger networks such as those created by the "Gozi" Trojan. Researchers at Atlanta-based SecureWorks discovered that virus. Their write-up contains some technical analyses, but scroll down toward the end for the most troubling bits. SecureWorks found that the total black market value of the data stolen by groups using the Trojan exceeds $2 million. The researchers found that the group offering the Trojan also offered full-service support for getting the Trojan and associated fraud networks operational, for a price.
March 23, 2007; 3:19 PM ET
Categories: Fraud , From the Bunker , Latest Warnings , Safety Tips
Save & Share: Previous: Online Trading Firms to Swap Fraud Tips
Next: They Say They Want a Revolution
Posted by: PJ | March 25, 2007 2:19 PM | Report abuse
Posted by: Donovan Scott | March 26, 2007 9:39 AM | Report abuse
Posted by: Michael | March 26, 2007 12:22 PM | Report abuse
Posted by: Susan C. Dawson | March 26, 2007 12:40 PM | Report abuse
The comments to this entry are closed.