By Brian Krebs
washingtonpost.com Staff Writer
March 14, 2007
Robert Hoyler thought hackers who broke into his computer stole only his
bank account information. But it turned out that the thieves also left
something behind: a hidden software virus that recorded his every
So when Hoyler's bank issued him new account numbers and passwords, the
hackers got all that information, too. His health insurance, online
shopping and Social Security data went into a file in a master database
at a Web site controlled by the attackers, stashed among personal
information on more than 3,220 U.S. residents.
"These guys got everything, but all I knew was that my financial
accounts were compromised," said the 66-year-old Fairfax engineer, who
learned of the virus from a reporter who used forensic tools from
computer-security firm Sunbelt Software in February to locate the Web
server hosting Hoyler's private information.
Such attacks are evidence of the sophistication and depth of technical
manipulation by hackers, and the challenges facing consumers and law
enforcement agencies in fighting them.
Online crime is easier, in part because tools for carrying out attacks
are readily available and harder to purge from computers. Moreover, for
consumers like Hoyler, there is often no surefire way to know how or
what information has been stolen. Notifying individual victims is
time-intensive and expensive, and law enforcement agencies and credit
bureaus say it's not their job.
Many viruses that send junk e-mail also include password-stealing
components, and some combine such technology with fake Web sites
mimicking trusted online brands, which can be particularly deceptive.
More than 1,000 fraudulent sites known as "phishing" sites are erected
each day, according to the Anti-Phishing Working Group, an industry
organization. Scammers can net 20 to 100 victims per case, according to
CastleCops, a volunteer group of security experts that analyzes
malicious software and phishing sites and provides information to
police, Internet service providers and affected companies.
Contributing to the proliferation of Web-based crime is the broad
availability of online tools.
"Basically we're at the point where the scammer can go into the virtual
tackle store and buy all the equipment he needs to get a phishing scam
working," said Lance James, founder of security-software developer
Secure Science. "There's the guy who writes the [virus] who says,
'Here's your phishing rod, here's some of our best bait, here are the
best sites to attack, and if you pay me an extra $200, I'll tell you
some of the best sites you can hack into.' "
The virus that stole Hoyler's information came from Web sites based in
Eastern Europe, according to the information tracked by Sunbelt
Software. It infiltrated the new-accounts department of a major U.S.
bank, a medical patient database in Georgia and an Alabama district
attorney's office containing a database used by police departments to
trace people, according to information obtained with the Sunbelt
Hoyler's bank told him in January that someone had tried to wire money
out of his account. Days later, Fidelity Investments notified him that
someone tried to use his log-in information to purchase thousands of
shares of an adult-entertainment company.
The government has acknowledged a need to do more for identity-theft
victims. Last year, the Bush administration created an identity-theft
task force that has proposed creating a center that would help victims.
Federal law enforcement officials said they routinely provide data they
uncover on compromised credit and debit accounts to MasterCard, Visa and
other credit-card issuers. The FBI also said it recently began sharing
caches of stolen consumer data with the fraud departments of the three
major credit-reporting bureaus.
But because credit-card companies often do not get any more information
about the extent of the breaches, victims of viruses or scams may think
that their problems have been resolved after being issued new credit or
debit cards. And such agencies as the FBI handle too many incidents to
notify online crime victims individually.
"We're just getting overwhelmed with this [compromised] consumer data,
but it's not exactly law enforcement's job to call each victim and
explain the situation," said Dan Larkin, an FBI agent who heads the
National Cyber-Forensics & Training Alliance in Pittsburgh.
Credit bureaus are not required to notify consumers.
"The credit bureaus work on behalf of banks and companies that grant
credit," said Ari Schwartz of the Center for Democracy and Technology, a
consumer advocacy group in Washington. "They're not set up to be
And the credit bureaus say they are not in the habit of reaching out to
consumers whose private information may have been compromised.
"Normally we would not put a fraud alert on a file without a consumer
being involved" or initiating it, said Maxine Sweet, a vice president
with Experian, one of the three major credit-reporting bureaus. "That's
just not something we generally do."
Copyright 2007 The Washington Post Company
Visit the InfoSec News Security Bookstore