http://www.washingtonpost.com/wp-dyn/content/article/2007/03/13/AR2007031301522.html 

By Brian Krebs
washingtonpost.com Staff Writer
March 14, 2007

Robert Hoyler thought hackers who broke into his computer stole only his 
bank account information. But it turned out that the thieves also left 
something behind: a hidden software virus that recorded his every 
keystroke.

So when Hoyler's bank issued him new account numbers and passwords, the 
hackers got all that information, too. His health insurance, online 
shopping and Social Security data went into a file in a master database 
at a Web site controlled by the attackers, stashed among personal 
information on more than 3,220 U.S. residents.

"These guys got everything, but all I knew was that my financial 
accounts were compromised," said the 66-year-old Fairfax engineer, who 
learned of the virus from a reporter who used forensic tools from 
computer-security firm Sunbelt Software in February to locate the Web 
server hosting Hoyler's private information.

Such attacks are evidence of the sophistication and depth of technical 
manipulation by hackers, and the challenges facing consumers and law 
enforcement agencies in fighting them.

Online crime is easier, in part because tools for carrying out attacks 
are readily available and harder to purge from computers. Moreover, for 
consumers like Hoyler, there is often no surefire way to know how or 
what information has been stolen. Notifying individual victims is 
time-intensive and expensive, and law enforcement agencies and credit 
bureaus say it's not their job.

Many viruses that send junk e-mail also include password-stealing 
components, and some combine such technology with fake Web sites 
mimicking trusted online brands, which can be particularly deceptive. 
More than 1,000 fraudulent sites known as "phishing" sites are erected 
each day, according to the Anti-Phishing Working Group, an industry 
organization. Scammers can net 20 to 100 victims per case, according to 
CastleCops, a volunteer group of security experts that analyzes 
malicious software and phishing sites and provides information to 
police, Internet service providers and affected companies.

Contributing to the proliferation of Web-based crime is the broad 
availability of online tools.

"Basically we're at the point where the scammer can go into the virtual 
tackle store and buy all the equipment he needs to get a phishing scam 
working," said Lance James, founder of security-software developer 
Secure Science. "There's the guy who writes the [virus] who says, 
'Here's your phishing rod, here's some of our best bait, here are the 
best sites to attack, and if you pay me an extra $200, I'll tell you 
some of the best sites you can hack into.' "

The virus that stole Hoyler's information came from Web sites based in 
Eastern Europe, according to the information tracked by Sunbelt 
Software. It infiltrated the new-accounts department of a major U.S. 
bank, a medical patient database in Georgia and an Alabama district 
attorney's office containing a database used by police departments to 
trace people, according to information obtained with the Sunbelt 
software.

Hoyler's bank told him in January that someone had tried to wire money 
out of his account. Days later, Fidelity Investments notified him that 
someone tried to use his log-in information to purchase thousands of 
shares of an adult-entertainment company.

The government has acknowledged a need to do more for identity-theft 
victims. Last year, the Bush administration created an identity-theft 
task force that has proposed creating a center that would help victims.

Federal law enforcement officials said they routinely provide data they 
uncover on compromised credit and debit accounts to MasterCard, Visa and 
other credit-card issuers. The FBI also said it recently began sharing 
caches of stolen consumer data with the fraud departments of the three 
major credit-reporting bureaus.

But because credit-card companies often do not get any more information 
about the extent of the breaches, victims of viruses or scams may think 
that their problems have been resolved after being issued new credit or 
debit cards. And such agencies as the FBI handle too many incidents to 
notify online crime victims individually.

"We're just getting overwhelmed with this [compromised] consumer data, 
but it's not exactly law enforcement's job to call each victim and 
explain the situation," said Dan Larkin, an FBI agent who heads the 
National Cyber-Forensics & Training Alliance in Pittsburgh.

Credit bureaus are not required to notify consumers.

"The credit bureaus work on behalf of banks and companies that grant 
credit," said Ari Schwartz of the Center for Democracy and Technology, a 
consumer advocacy group in Washington. "They're not set up to be 
consumer-oriented businesses."

And the credit bureaus say they are not in the habit of reaching out to 
consumers whose private information may have been compromised.

"Normally we would not put a fraud alert on a file without a consumer 
being involved" or initiating it, said Maxine Sweet, a vice president 
with Experian, one of the three major credit-reporting bureaus. "That's 
just not something we generally do."

Copyright 2007 The Washington Post Company


_________________________________________
Visit the InfoSec News Security Bookstore
http://www.shopinfosecnews.org