A recent article by Brian Krebs of the Washington Post, “Virtual Heist Nets 500,000+ Credit Accounts”states that researchers at the RSA’s FraudAction Research lab have discovered one of the largest stolen data caches ever recovered. A cyber crime group stole over a half million bank, credit and debit card accounts over the past two-and-a-half years using one of the most advanced strains of computer spyware in the world.
The RSA detected more than 270,000 online banking account credentials, and about 240,000 credit and deb it account numbers and associated personal information on Web servers the cyber crime group was using were using for their attacks.
The attacks have been going on for nearly three years. That’s a very long time according to Seau Brady, manager of identity protection for RSA, the security division for EMC. He said that only rarely do they come across crime ware that has been continually stealing and collecting personal information and payment card data, compromising bank accounts as far back as 2006.
The crooks are using Sinowal, also called “Torpig” and “Mebroot” by other anti-virus companies. The Sinowal constantly morphs its appearance to slip past security software. Researches have discovered that new variants are occuring at a rate jof 60 to 80 per month.
Sinowal is unique in another way, too. It hides id the deepest recesses of the host computer, the “Master Boot Record.” This location that loads even before the operating system boots up. Experts say many anti-virus programs will not detect such a fundamental compromise. Once discovered, removing the Trojan from the computer is almost impossible often requiring a reformatting of the system and wiping any data stored on it.
Here’s how the Sinowal Trojan works: It lies in wait until the victim visits one of more than 2700 bank and e-commerce sites hard-coded into the malware, at which point it injects new Web pages or information fields into the victim’s web browser.
When an unsuspecting Windows user visits one of the sites, the code left on the site tries to install the Trojan using one of several know Web browser security holes.
According to the RSA more that 100,000 bank account credentials were stolen by the Trojan in the six months alone.
