and Why You Need a Firewall

Massive identity theft ring

"In some recent research into a spyware exploit, our research team has discovered a massive identity theft ring.

We also found the keylogger transcript files that are being uploaded to the servers.

This is real spyware stuff—chat sessions, user names, passwords, bank information, etc. We have confirmed that this data is valid. Highly personal information, including even one fellow who has a penchant for pedophilia -- all logged in detail and returned a webserver.

Note that there is a LOT of bank information in here, including one company bank account with over US$350,000 and another small company in California with over $11,000 readily accessible. This list goes on and on and on. Of course, there's also eBay accounts and much more."

Follow up: Identity Theft Update

Why you need a firewall

I found this in a post on a security forum today.

"I have just come from the bank where I had to close my acct because of an unauthorized withdrawl I suspect malware/keylogger. I have done a hijack this scan and started googling the scan results when this happened. Here are results I sincerly hope some one can tell me what is going on."

A victim of the same ring? Possibly. I also found this post on SpywareWarrior's forum.

"I recently switched to Win XP with SP2. Noticed that there's a constant stream of outgoing data from my machine, whenever I connect to the net. This goes on even with all browser windows are closed and with no other programs running.

I installed a firewall (Sygate) to block this outflow. The files that try to transmit data and their destinations are as follows [...]"

What can users do to protect themselves from identify theft and keyloggers/trojans? First and foremost, everyone who accesses the internet should have a software firewall. I don't care if you have a router, use the Windows XP firewall or on dial up, you NEED a firewall. (I know some people dispute this but IMO they are dead wrong.) Here's why. A router and the Windows firewall do provide some protection from incoming threats but they do not block outgoing traffic from your computer to the net. Note the user in the forum topic above said:

"Noticed that there's a constant stream of outgoing data from my machine, whenever I connect to the net. This goes on even with all browser windows are closed and with no other programs running."

After he installed the firewall, he was able to stop the transmission of data to the net.

If anyone thinks they can't afford a firewall, they are mistaken. There are a few free firewalls that to a great job of monitoring and controlling traffic to and from your computer to the net. The user above mentioned the Sygate firewall. There's also Zone Alarm free version and Kerio. An antivirus program with real time protection is also essential. Again, there are free AV programs such as AVG, Avast and AntiVir. Google will help you find them.

From my blog here:

http://netrn.net/spywareblog/archives/2005/08/05/massive-id-theft-ring-discovered/

In the news here:
http://www.computerworld.com/securitytopics/security/story/0,10801,103737,00.html

Also in the Spyware Weekly from Spywareinfo.com

http://www2.spywareinfo.com/category/news/cws-id-theft/

Suzi
Spyware Warrior
MS MVP Windows-Security 2005

Thanks Suzi for the information. I think you are doing a great job at your site at spywarrior. It it nice hearing from you here again. All the best!

Hi Suzi :-) Thanks for posting this alert. Last Friday ComputerWorld published similar article HERE. In this report, the massive ring was discovered the day before while Sunbelt was researching a spyware program belonging to a particularly dangerous class of browser hijacking tools called CoolWebSearch (CWS). This article is quoted as saying:

CWS programs are extremely hard to detect and remove, and are used to redirect users to Web sites that use spyware tools to collect a variety of information from infected computers.

The CWS variant being researched by Sunbelt turned infected systems into spam zombies and uploaded a wide variety of personal information to a remote server apparently located in the U.S. That server holds a "treasure trove of information" for ID thieves, Eckelberry said.

Sunbelt's research showed that the information being uploaded to the remote server included chat sessions, user names, passwords and bank information, he said. The bank information included details on one company bank account with more than $350,000 in deposits and another belonging to a small California company with over $11,000 in readily accessible cash, he said.

Many of the records being uploaded also contained eBay account information, he said. Among the highly personal bits of information Sunbelt was able to retrieve from the server were one family's vacation plans, instructions to a limo driver to pick up passengers from an airport and details about one computer user with a penchant for pedophilia.

It's a scary world out there, isn't it?

Regards

i_XpUser

Scary all right! Capt, good to see you again.

OT:
Btw - what happened to KTTD? It looks like he is not around anymore. He actually posted a HijackThis log and asked for help at my forum a few months ago.

Suzi
Spyware Warrior
MS MVP Windows-Security 2005

I've not seen him around either and dunno know what happened. BTW it's interesting to note his visiting your great site for help with HJT log. Hope everything worked out successfully.

i_XpUser

"Btw - what happened to KTTD? It looks like he is not around anymore. He actually posted a HijackThis log and asked for help at my forum a few months ago."
You know I was wondering the same thing.
Wasn't he still moderating here?
And why would he need help with a hjt log?
I figured he'd be the last person here to get infected.
Weird..

Asus A8V Deluxe Rev.2
AMD Athlon 64 3800+/Newcastle
1 Gig Corsair PC3200
ATI Radeon 9800Pro/ATI Silencer 1Rev2
catalyst 5.6
Sound blaster audigy gamer
Antec430
Via 4.55 Drivers

Does it really matter what happened to KTTD?
He was really sarcastic in the past while, he will not be missed by me....that's for sure. Too many people have been in computing.net for too long and definately have an attitude problem...I'm not mentioning any other names! It's good to see some new usernames popping up...

Now speaking of identity theft....I ordered some DVD+R printables and got the weirdest problem. I live in Florida, (my visa card is canadian) and I ordered from supermediastore.com , they had some good deals on. The next day I got an e-mail saying the order was on hold. They wanted a photo copy of my visa, front and back with my signature and also a copy of my passport (said it was in international card?)...which I immediately refused. Visa stopped my card & sent me a new one. So I figured i'd get my friend who had a USA visa to order the DVD's. Lo & Behold, they also put his order on hold & requested photo copies of the front & back of his card...NOT!
Visa said that it sounded like Identity theft.

SO, BEWARE!

HI,
I loaded trend's antivirus which comes with a firewwall. Are the default settings secure enough? I wouldn't know what would look suspicious in outgoing packets. Is there somewhere that can help me configure it properly? Is there something that tells me how to read my logs so I don't panic over something that belongs?

Hi mikeldsi,
I'm not sure if there are any forums for trend but you can try there web site http://www.trendmicro.com/en/home/us/enterprise.htm
Or maybe google will give some good results.
BTW I use outpost firewall and NOD 32 AV.This seems to be the prefect security match IMHO.
Outpost even has a support forum!

Asus A8V Deluxe Rev.2
AMD Athlon 64 3800+/Newcastle
1 Gig Corsair PC3200
ATI Radeon 9800Pro/ATI Silencer 1Rev2
catalyst 5.6
Sound blaster audigy gamer
Antec430
Via 4.55 Drivers