Sunbelt Discovers Major ID Theft Ring

Sunbelt Discovers Major ID Theft Ring

Jack M. Germain, newsfactor.com Mon Aug 8, 2:40 PM ET

According to Florida security software firm Sunbelt Software, both the Federal Bureau of Investigation (
FBI) and the
Secret Service are looking into evidence of a possible international identity theft ring the company discovered last Thursday.

Sunbelt President Alex Eckelberry announced the discovery of the spyware ring in a blog on his company's Web site on Friday. He provided more details in blog entries over the weekend.

Phil Owens, Sunbelt's product manager of security tools, and David Bove, Sunbelt's director of spyware research, said the company's spyware researcher, Patrick Jordan, discovered suspicious server activity that was delivering malicious spyware late Thursday.

They said Jordan discovered a keylogger program running on a test computer and traced that file's payload location to the source, where he succeeded in accessing stolen information in a large text file stored there.

Keylogger programs are secretly installed spyware components that capture information entered into computers without the users' knowledge. The text file generated by the keylogger program contained bank account numbers, financial URLs, user identifications, search terms, social security numbers, credit cards, user passwords and eBay (Nasdaq: EBAY - news) account information.

Scale Unimaginable

Ekelberry wrote in a blog entry on Saturday that the text file contained information from thousands of zombies, or spyware-compromised computers. "The scale is unimaginable," he wrote.

Ekelberry's blog said that Jordan was doing research on an exploit when he discovered the theft ring. Jordan found that the machine he was testing became a spam zombie during the course of his research. He noticed a call-back to a remote server where he found "an incredibly sophisticated criminal identity theft ring."

According to Eckelberry, the server domain to which Jordan traced the call back is registered to a foreign entity. However, the server itself is in the U.S.

Evidence of Spyware

Sunbelt's Owens and Bove said the keylogging-generated text file was growing at 200 KB per hour. It contained banking information from user accounts from around the world. "The information was in more than one language, but we were able to work with the information sent to the server in English," they said.

They watched the date and time stamps get appended to the text file at the receiving URL for several hours. They also observed the URL's operators take down the text file periodically, presumably to process the stolen information, then put the text file back online.

"That was quite a scary database they were accumulating," said Owens. "We watched data get reported from multiple time zones."

Contacted Some Victims

Owens said he and Bove notified Eckelberry Thursday night about their discovery. Together, trying to figure out what the keylogging program was doing, the company officials accessed several of the bank accounts using information Jordan obtained from the text file on the rogue server.

"We logged directly into two accounts. One account held US$350,000; the other one had $11,000. The accounts were readily accessible for electronic transactions," Owens said.

"It was actually quite a scary experience when we were logging onto bank sites," said Bove.

They contacted those two account holders about the identity theft and contacted the FBI Thursday night.

Victims Jeopardized

Eckelberry wrote in his blog that company officials were so disturbed by the impact of the identity theft on some of the victims that they were compelled to contact them right away.

"We contacted individuals who were in direct jeopardy of losing a considerable amount of money," he wrote.

Eckelberry said he personally contacted one family in Alabama whose father was recovering from heart surgery and had very little money. All of their financial and personal information was exposed.

"We were able to warn them in time before they were seriously hurt," he said.