This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Content-Type: TEXT/PLAIN; charset=UTF-8
By Anna Mikhailova and Jon Ungoed-Thomas
The Sunday Times =09
September 03, 2006
ABOUT three weeks ago, Cheryl Lambert bought a =C2=A3179 surfboard on eBay
for her daughter. Soon after, she noticed her computer started to
behave erratically and within a few days it had ground to a halt.
"It just completely crashed," said Lambert, 38, a community worker who
lives in Helston, Cornwall. "The anti-virus software was saying the
computer was infected, but it just couldn't fight it. The computer got
slower and slower and then it just stopped."
A few days after her desktop machine was unplugged from the internet,
Lambert's personal details appeared on a Russian website.
Her home phone number, her address, her credit card number and her
e-mail address with Tesco were all listed on a forum where criminals
and computer hackers trade stolen identities. Lambert cancelled her
gold Lloyds TSB card when she was alerted by The Sunday Times to what
had happened, but one fraudulent transaction for =C2=A310.70 had already
Lambert is believed to have fallen victim to malicious "trojan"
software. This can be unwittingly downloaded from an e-mail attachment
or website and then quietly records details of passwords, security
codes and credit card numbers used on secure websites. The information
is relayed back to the author of the malicious software.
The Russian website that posted Lambert's details, www.carder.info, is
one of a network of sites which trade in stolen identities. Thousands
of passwords for e-mail accounts, security numbers for credit cards
and access codes for shopping websites are offered for sale online
after being "harvested" from trojan software.
In a four-week investigation a Sunday Times reporter approached users
on Russian websites who were offering stolen identities for sale. The
site includes a step-by-step guide to stealing identities and using
the information without detection.
The reporter was offered stolen data on British citizens ranging in
price from $2 to $5 per person. She requested a free sample and at
11.50pm on August 23 the details of more than 30 individuals were
posted online, 13 of whom were British.
Max Haffenden, 27, an IT worker from Bexhill-on-Sea in East Sussex,
was among those on the list and he confirmed last week that The Sunday
Times had obtained his secret password from the Russian website. He
uses the password - which has now been cancelled - for his personal
Yahoo! e-mail account, payment transfers using PayPal and online
"I am amazed someone could have got access to these details," he said.
"I have a good idea of how computers work and how to be as secure as
possible. I only trust a site with my details if it has a "padlock" to
show it is a secure server."
Haffenden, who used a computer firewall and anti-virus software, said
his computer's systems alerted him to malicious software, which he
said might have been a trojan, about a year ago. He was unable to fix
the problem but said it did not affect the performance of his
Others on the list said there had been no apparent problems with their
machines. Nick Riches, 40, from Basingstoke in Hampshire, who also
works in the computer industry, was among those targeted. He confirmed
his "standard secure password" had been obtained by the Russian
website, along with his Hotmail access, his home address and details
of a NatWest card. He said he regularly scanned his computer for
viruses but had not been aware of any malicious software.
There was evidence last week that the fraudsters had already used some
of the personal data to steal money. Cards belonging to Haffenden and
Riches had been used without their permission on an internet gambling
site, Unibet, in the past month with payments of =C2=A3400 and =C2=A3512.50=2E
Stolen data offered on foreign websites is usually obtained from
hacking into the database of an online company to obtain customers'
details or from infiltrating a personal computer.
While nearly all computer users are alert to the threat from viruses,
many are unaware of trojans, which can covertly install themselves via
a website or e-mail attachment.
Carole Theriault, senior security consultant at Sophos, an internet
security company, said: "Viruses basically had bells and whistles to
say "we've got you" and spread rapidly around the internet. Trojans
are very different. They don't spread on their own and may not even
affect the performance of your computer, but when you go on sites like
eBay or check your account online, they can record the keys you press.
"About 70% of the reports of new threats of malicious software are
trojans. The people who send them out don't hit so many computers
because they don't want to make the headlines."
Theriault said that a firewall and regularly updated anti-virus
software would help reduce the threat from trojans, but there was no
100% solution. "It's like driving a car," she said. "There's always a
risk. You just have to do everything you can to reduce it."
One of the problems is that some trojans are not always identified by
anti-virus software. One trojan, called A311 Death or Haxdoor, has
infected an estimated 35,000 computers worldwide, including 10,000 in
A warning from the Australian Computer Emergency Response Team stated:
"If your computer is already compromised with an input/output
monitoring trojan, SSL (encryption) cannot prevent the trojan from
capturing web form data, keystrokes, and passwords."
In the UK many people are unaware of the threat. An official Home
Office leaflet providing advice on identity theft does not even
mention the importance of computer security. The government does,
however, support a website, Get Safe Online, which provides
information on protecting a home computer.
Despite the warnings and security software available, obtaining
personal data stolen from British computers is easy. It is also cheap,
with passwords being traded online for as little as =C2=A31.
Using an internet Cyrillic keyboard to enter the word "carding" on the
Google search engine, a Russian-speaking Sunday Times reporter was
presented with an array of sites offering stolen data and bogus
One website - called carders0.tripod.com - had a virtual shopping
basket of identity fraud, with "buy now" icons next to every item. The
products on sale included credit cards - both fake and real - driving
licences, travellers' cheques, fake passports and machines to make
credit cards. The site included starter packs for fledgling fraudsters
The same site also offered a service called Rebirth in which visitors
were offered the chance to "buy a whole new identity from Britain or
Ireland". Costing =C2=A313,000, the package offered a new passport and a
birth certificate. The Sunday Times was unable to confirm whether
genuine documents would be exchanged for an online payment.
At the lower end of the scale, a range of websites offered stolen data
that could be used to access subscription services, pay for goods
online or transfer funds. Some of the data are even posted for free as
samples to interested buyers. After using the data, one user of
www.carder.info commented on the website: "Thanks, found some valid
stuff. Put up more."
The batch of stolen data provided to the reporter included passwords
for e-mail accounts, credit card numbers and home telephone numbers of
people in Bishop's Stortford in Hertfordshire, Spalding in
Lincolnshire, Blackpool, Hartlepool and Glasgow.
A week after the reporter was given the sample, she was able to
retrieve the passwords for the PayPal accounts of 19 Britons from the
site. The information would enable fraudsters to gain access to
accounts and transfer funds.
The www.carder.info site is registered to 340 Pushkinskaya in Moscow.
The house number does not exist. The Russian-based company that hosts
the site, Net of National Telecommunications, would not comment last
week, but is understood to be in contact with police about any
suspected illegal transactions.
Lennart Ehlinger, group security controller for the London-based
Unibet, said it was difficult to detect fraudulent use of credit cards
if the fraudster was able to provide a security code, number and home
A spokesman for Apacs, the UK payments association, said hackers who
stole personal information often evaded detection by using a network
of foreign websites.
A spokesman for PayPal said its servers were secure, but information
on passwords was sometimes compromised by trojan software and
"phishing", which uses spoof websites to obtain user information.
Additional reporting: Mark Franchetti in Moscow
HOW TO STAY SAFE ONLINE
The risks can never be wholly eliminated, but experts recommend:
* Never go online without first ensuring your computer is protected
with a firewall and anti-virus software. An unprotected computer is
on average infected within 12 minutes of being plugged into the
internet, according to research by Sophos, the computer security
* Always make sure you have the latest anti-virus software, which is
regularly updated. Use software such as McAfee (uk.mcafee.com) or
Norton (www.symantec.com). It costs money, but is recommended for
* Consider installing software that scans your system for downloads
that secretly monitor your computer use. Products such as Spybot
Search & Destroy (www.safer-networking.org) can be downloaded free.
* Never download software from unknown sites. The downloads can
harbour trojans. Similarly, never open e-mail attachments from
* When entering details on a banking website or payment service, such
as PayPal, carefully check the website address. A trojan can direct
a computer to a spoof site.
* If your computer is performing erratically or slowing down, then
scan it with anti-virus software.
Content-Type: text/plain; charset="us-ascii"
HITBSecConf2006 - Malaysia
The largest network security event in Asia
32 internationally renowned speakers
7 tracks of hands-on technical training sessions.
Register now: http://conference.hitb.org/hitbsecconf2006kl/