Network News

X My Profile
View More Activity

Virtual Heist Nets 500,000+ Bank, Credit Accounts

A single cyber crime group has stolen more than a half million bank, credit and debit card accounts over the past two-and-a-half years using one of the most advanced strains of computer spyware in existence, according to research to be published today. The discovery is among the largest stolen data caches ever recovered.

Researchers at RSA's FraudAction Research Lab unearthed the massive trove of purloined data while tracking the activities of a family of spyware known as the "Sinowal" Trojan, designed to steal data from Microsoft Windows PCs.

RSA investigators found more than 270,000 online banking account credentials, as well as roughly 240,000 credit and debit account numbers and associated personal information on Web servers the Sinowal authors were using to set up their attacks. The company says the cache was the bounty collected from computers infected with Sinowal going back to February 2006.

"Almost three years is a very, very long time for just one online gang to maintain the lifecycle and operations in order to utilize just one Trojan," said Sean Brady, manager of identity protection for RSA, the security division of EMC. "Only rarely do we come across crimeware that has been continually stealing and collecting personal information and payment card data, and compromising bank accounts as far back as 2006."


Sinowal, also called "Torpig" and "Mebroot" by various anti-virus companies, constantly morphs its appearance to slip past security software. Between April and October, researchers spotted an average of 60 to 80 new Sinowal variants per month (see graphic above). Indeed, in the 24 hours ending Oct 30, security researchers at saw at least three new versions of Sinowal being released into the wild.

On Oct. 21, a new Sinowal variant was submitted to, which scans incoming files against nearly three dozen commercial anti-virus programs and maintains a historical record of those results. Only 10 out of 35 of those security programs - or 28.5 percent - identified it as such or even flagged it as suspicious. Another scan of a Sinowal variant sent to VirusTotal a week earlier yielded slightly better results, with just over half of the anti-virus tools detecting it as malicious.

Sinowal also is unique in that hides in the deepest recesses of a host computer, an area known as the "Master Boot Record." The MBR is akin to a computer's table of contents, a file system that loads even before the operating system boots up. According to security experts, many anti-virus programs will remain oblivious to such a fundamental compromise. What's more, completely removing the Trojan from an infected machine often requires reformatting the system and wiping any data stored on it.

The Trojan lies in wait until the victim visits one of more than 2,700 bank and e-commerce sites hard-coded into the malware, at which point it injects new Web pages or information fields into the victim's Web browser. For example, Sinowal can falsely prompt an unsuspecting victim for personal information, such as a Social Security number or password when he or she visits one of the targeted financial institution Web sites. Any stolen data is regularly uploaded to Web servers controlled by the Trojan's authors.


The makers of Sinowal typically have spread their Trojan by sewing malicious code into the fabric of large numbers of legitimate, hacked Web sites. When an unsuspecting Windows user visits one of these sites, the code left on the site tries to install the Trojan using one of several known Web browser security holes, such as vulnerabilities found in popular video and music player plug-ins like Macromedia Flash and Apple's QuickTime player.

The Sinowal gang appear to have profited handsomely from a spate of high-profile Web compromises reported of late: More than 100,000 bank account credentials were stolen by the Trojan in the last six months alone, RSA found (see graphic above).

It's not clear exactly who's behind these attacks, but evidence points to Russian malware gangs. Brady said Sinowal had early ties with the Russian Business Network, a notorious, cyber-crime friendly Web hosting firm in St. Petersburg, Russia, that was dispersed last year due to international media attention. While the Sinowal authors no longer use RBN as a home base, Brady said his team could find no trace of a single Russian victim in the entire database of credentials and identities stolen from customers of hundreds of banks across the United States, Europe and Asia, and at least 27 other countries.


According to several analysts at iDefense, a security intelligence firm in Sterling, Va., more than a dozen criminals operating the Sinowal data theft network have been thumbing their noses at authorities for some time. While examining a Web server used in a Sinowal attack earlier this year, iDefense found a spoof of the U.S. Marshals Web site apparently created by the criminals (click the image above to enlarge).

iDefense said each nickname on the fake site corresponds to the digital credentials that gang members used to access the Web server. The bogus wanted poster includes caricatures of such famous figures as Mikhail Gorbachev; Leonid Brezhnev, Joseph Stalin (Perevodchik, "translator" in Russian); Vladimir Lenin; and Russian Prime Minister Vladimir Putin ("Shaitan," or "devil").

By Brian Krebs  |  October 31, 2008; 7:00 AM ET
Categories:  Fraud , Latest Warnings , Safety Tips , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: GAO: Localities Expose Social Security Numbers Online
Next: Microsoft Security Report: A Mixed Bag


This is one of the reasons Obama should have never lowered the security systems on his website. With so much news attention given about donations from millions of people, I'm sure that these criminals were trying to get into his system, and probably could with lax security.

Posted by: sukkie34 | October 31, 2008 8:57 AM | Report abuse

So, what do we do??? How do we find out whether our data has been compromised?

Posted by: Bobthetechguy | October 31, 2008 10:40 AM | Report abuse

@Bob- RSA has been notifying the affected financial institutions. But one thing readers should take away from this story is a reminder of the importance of patching third party apps, like the ones mentioned in the blog post.

Something else I think is interesting about this case is it really highlights the imbalance of law enforcement/investigations into digital crime vs. main street crimes. If bank robbers made off with half a million dollars -- to say nothing of the balance from a half million account numbers! -- that would be big news, as most real-life bank heists net only a few thousand dollars on average.

In reporting this story, I heard from some researchers a kind of blase reaction, as in: only 500,000 credentials? Meh.

Posted by: BTKrebs | October 31, 2008 10:51 AM | Report abuse

Symantec reported the initial Mebroot Trojan virus was detected in January 2008

A rapid release version was then issued on
Oct 30th 2008

Posted by: B2CC | October 31, 2008 10:56 AM | Report abuse

Why is it that everyone reports after the Barn Door has opened and the data has all disappeared? Are'nt there any real journelists,Chairman's, CEO's, CFO', CIO's & CTO's investigating how we as a small OEM has solved the problems? Here's your chance. All we want to do is help our Country protect it's Critical Infrastructure. Unfortunately, everyone else has relied on software, Levels 2-7 of the ISO standard model. When we detect a hack, in under a millionth of a second the hacker(s) are automatically shunted out of the network(s)where they can be monitored. In our protected networks, they stay up whether one port or thousands of ports. References on request, but here's two: The Canadian Govt of Public Safety (DHS) and a large NJ County's Data Centers humming along 24X7X365 + leap year.
I welcome each and every responsible communication: Bob Pollock, CEO, Continuum Partners,Suite 204, 20 E. 68th St.,NY 10165, (Mail) & (M) 917-497-5523

Posted by: continuump | October 31, 2008 10:59 AM | Report abuse

And when one of those blase researchers' personal information is compromised or perhaps their child's information is inadvertently compromised, how will they perceive this problem?

Wow. There is no question, Internet-based crime is allowed to continue at egregious levels due to societal permissiveness and ignorance. The mentality of 'if it doesn't impact me, who cares' will come back to bite us. And hard.

Computers allow us to manipulate large blocks of data and very large numbers w/o a second thought. The de-humanizing of how a single compromised data record in a sea of ones and zeros can royally screw up a person's life is something about which we should probably pay more attention.

/signed 'not just another number'

Posted by: CB12 | October 31, 2008 11:30 AM | Report abuse

Brian, where is your buddy with the FBI's Cyber Crime Division on this? Wouldn't you think they'd be all over it? Or are they among the legion of "blasé don't care" folks?

Posted by: peterpallesen | October 31, 2008 4:02 PM | Report abuse

Think of the identity theft this kind of operation will lead to. Now think of an indentity theft gone wrong. See

Posted by: jheubusch | October 31, 2008 5:45 PM | Report abuse

Am I mistaken Brian, or are Real Estate sites just not being targeted.

With all the issues in the current market, they probably wouldn't get too much of value ugggggg.

Posted by: | November 1, 2008 6:50 AM | Report abuse

Simple solution to this problem - don't use Windows. There are other choices, like Macintosh and Linux.

Posted by: gmfeier | November 2, 2008 5:31 AM | Report abuse

I would suggest to people that really cares about security and privacy that *stay far far away* from Windows and any other MS DOS derivative; they are simply a swiss cheese ( from a security standpoint ).

Use Linux or Macs. In this respect it is wise to imitate the best computer scientist in the world, Donald Knuth:

Posted by: ombzzz | November 2, 2008 8:50 AM | Report abuse

Online accounts protected by SoundPass can have all your Login credentials stolen but your SoundPass software virtual token will still prevent your account from being hacked.

So you do not need to jump ship from Windows and spend more money on new computers. You just need your online accounts properly protected.

I read where CUNA stated on Oct 8 that Images & Phrases, Challenge Questions, OTP display tokens, and IP Address solutions are NOT secure.

Well, these solutions make up the biggest percentage of authentication solutions used today by our financial institutions for accessing online banking or paying your credit cards etc. online. So we wonder why our online accounts get hacked...??

Posted by: mangelinovich | November 4, 2008 4:09 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company