Network News

X My Profile
View More Activity

Tracking the Password Thieves

The Washington Post today ran a story I wrote about an epidemic of data theft being fueled by password-stealing viruses and phishing attacks. In some ways, the story behind the reporting that went into the piece is just as interesting, so I'd like to share a few of those details.

I based the story in part on a cache of stolen data I found online (more on how I obtained it in a bit). The data was being compiled by a password-stealing virus that had infected many thousands of computers worldwide; the particular text file that I found included personal information on 3,221 victims scattered across all 50 U.S. states.

Using a custom-built application that makes use of the Google Maps API, I was able to chart the approximate locations of the victims. This was possible because at the beginning of each record was the virus's best guess of the longitude and latitude of the infected computer's Internet address. This so-called "geo-IP" process is far from perfect: Sometimes these automated guesses are disturbingly accurate, and other times they are miles wide or completely wrong.

The approximate location of the 3,221 U.S. residents victimized by this virus (Data gathered by; image courtesy Secure Science Corp. and Google).

Scammers collect information about the location of their victims because it becomes useful when they want to conduct fraud with a hijacked credit or debit card account. The idea here is to evade a key component of fraud detection in the financial industry -- transaction location tracking. If Joe in Georgia starts suddenly withdrawing money or making purchases in Nigeria or Europe when his last transaction was an hour earlier in Atlanta, Joe's bank is going to flag the transactions as fraudulent and in all likelihood cancel the card.

I contacted about three dozen victims whose phone numbers I could find in this data cache, which included records of when and where victims went on the Web, and any credentials they used to access Web sites. The victims ranged from Myspace-browsing youngsters to credentialed "security experts" who claimed to be doing everything they should to keep a Windows PC healthy and virus-free.

The approximate location of the Washington, D.C. area residents victimized by this virus (Data gathered by; Image courtesy Secure Science Corp. and Google).

The victim I lead the story with works as an engineer for the Architect of the Capitol. On Jan. 19., the scammers tried to use his stock investment account to purchase thousands of shares in a penny stock for an adult entertainment company (AVTR.PK). This activity was directly related to a "pump-and-dump" scam, where the bad guys use spam to tout the value of small cap stocks that they've just invested heavily in with someone else's money; when the price goes up, the crooks sell off their shares, flooding the market with the stock, which usually causes anyone who has heeded the advice of the spammers to lose any money they invested.

One guy on the list is from Massachusetts and works in computer security for IBM. Another young man from Texas was fresh out of college, where he'd just earned a degree in information security. (He was actively looking for a job in the field; I suggested he may want to go back to the classroom.)

Another computer compromised by the virus belonged to a man in the D.C. area who works for the Federal Energy Regulatory Commission, which is part of the Department of Energy. Another machine in New York belonged to a woman working in the new accounts department at Bank of America (this wasn't her home computer; this was her PC at work.) Running some reverse lookups on the list of IPs produced more interesting results: Two of the machines were at biotech giant Amgen; another pair of keylogged PCs were inside of pharmaceutical maker Merck; still another belongs to the Massachusetts District Attorneys Association.

This graphic shows the Internet Service providers with the greatest numbers of victims affected by this virus. Taken together, these 14 ISPs accounted for about 80 percent of the victims. (

Further analysis of the data showed that it contained a large batch of medical patient information, including date of birth, SSNs, credit card numbers, and so on. The data was stolen from the computer of Biram Chapman, founder of Vidalia, Ga.-based Chapman Healthcare Services. The company had Symantec's Norton Anti-virus software installed, but the virus that infected his machine disabled the program's ability to download updates.

My analysis also turned up login information for, a consumer database company used by many police departments and investigators to track down individuals. Imagine the damage an identity thief could do from looking up the Social Security numbers and other sensitive data on as many Americans as he wants. Fortunately, I was able to get in touch with the gentleman who owned the Accurint credentials, an investigator with an Alabama district attorney's office, who changed his password before the thieves had a chance to use the account.

Some of the victims I spoke with acknowledged they were slacking in some measure needed to keep their Windows computer safe online, but others insisted their machines got infected even though they were doing all the things experts recommend, such as using a firewall and up-to-date anti-virus software, and applying security updates from Microsoft when they are released.

This brings up a good point: Don't download files of questionable origin or click on e-mail attachments willy-nilly. I scanned this particular virus against three free anti-virus tools at least three weeks after the malware first appeared, and none of them detected it as malicious.

Finally, it's important to bear in mind that while 3,221 victims may not sound like a great deal, we're talking about the damage done just to US-based victims through one piece of malicious software. There are thousands of versions of these password-stealing viruses in use today. Also, it appears that most victims of this virus infected their machines after opening a poisoned e-mail attachment (although the bad guys may well have distributed this malware via other means.) I cannot overstate the importance of Windows users being extremely cautious about opening unexpected attachments in e-mails, even if they appear to come from someone you know. When in doubt, fire a quick e-mail back to the sender to ask whether they really meant to send you the attachment.

So how did I find the stolen data online? I found it by scanning a piece of malware containing the crafty virus that I received via e-mail. I submitted the malicious software to the Norman Sandbox, which attempts to deconstruct malicious programs and provide information about any lines of communication the malware tries to establish online. In this case, the scan showed that the malware tried to transmit data stolen from infected machines to a Web site in Germany. Sunbelt Software's "malware sandbox" was equally helpful in understanding how this virus worked.

By Brian Krebs  |  March 14, 2007; 12:01 AM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Safety Tips , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Apple Releases a Bushel of Software Patches
Next: Task Force Shapes ID Theft Policy

No comments have been posted to this entry.

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company