Computing News | Phony Ad On Job Sites Leads To 100,000 Stolen Identities

Latest News | News Archive |

Posted by: Tweaker
Date added: 04:15 Sunday, 19th August 2007 GMT
Source: Information Week News

The Trojan stealing the data was hidden in a fraudulent advertisement on online job sites like Monster.com.

Security researchers have unearthed the single largest cache of stolen identities, thanks in part to a Trojan stealing the data that has been hidden in a fraudulent advertisement on online job sites like Monster.com.

Don Jackson, a researcher with security company SecureWorks, told InformationWeek that he found 12 data caches connected to one group using the latest variance of the Prg Trojan, which also is known as Ntos, Tcp Trojan, Zeus, Infostealer.Monstres and Banker.aam. Several of the 12 found caches contain information on about 4,000 to 6,000 identity theft victims, but one contains about 10,000 and the largest one contains 46,000.

He estimates that between the 12 caches, there probably is information on about 100,000 stolen identities.

"That's at least four times as large as the largest ones I've run across before," said Jackson. "That tells me they're using a lot of different methods to do what they do or they've found really reliable methods to do it."

Jackson calls the identity theft organization behind the caches the "car group" because they've named each of the servers storing the information for a different auto manufacturer, like Ford, Mercedes, Chrysler, and French carmaker Bugatti.

The data, which includes bank and credit card account information, Social Security numbers, online payment account usernames and passwords, comes from victims who were all individually infected with the Trojan beginning in early May.

He said the latest variant of the Prg Trojan has been running on fraudulent ads on at least two online job sites. One, he said, is Monster.com. Representatives from Monster did not return a request for an interview.

"The hackers behind this scam are running ads on job sites and are injecting those ads with the Trojan," said Jackson. "When a user views or clicks on one of the malicious ads, their PC is getting infected and all the information they are entering into their browser, including financial information being entered before it reaches the SSL-protected sites, is being captured and sent off to the hacker's server in Asia Pacific."

The Trojan is designed to exploit several different software flaws, including vulnerabilities -- all of which have been patched by the vendors -- inMicrosoft( MSFT)'s Internet Explorer browser, WinZip and Apple's QuickTime.

Different hacker groups are selling a kit that helps malware authors compile new versions of the Prg Trojan. The kit, which sells for about $300 on underground forums and marketplaces, even re-scrambles the code to evade anti-virus detection.

SecureWorks noted that computers infected with the Prg Trojan will have a backdoor proxy server listening for connections on Port 6081. "This port is in not assigned to legitimate services and is not hidden by the rootkit functionality. f port 6081 is open on your computer, you are likely infected with the Prg Trojan," said Jackson. "If anti-virus is not detecting the infection, then you will need to boot the computer into Safe Mode and run another scan. If that fails, manual removal or reinstalling the operating system may be necessary."

  Tools: Post a comment | Link to this news item | Send to a friend | Submit News

Error: You are not logged in.

In order to leave comments to news articles you must be a Cyber Tech Help Member.

Registration is completely free!    Register to become a member

Along with access to leave comments to news articles you will be able to ask any computing questions you might have on the Cyber Tech Help Forums.

[  To top | Latest News | News Archive | ]