Automated Tools Gather Victims' Keystrokes, Upload Passwords to Illicit Database
By Brian Krebs
washingtonpost.com Staff Writer
Thursday, March 16, 2006; 12:22 PM
When Graeme Frost received an e-mail notice that an expensive digital camera had been charged to his credit card account, he immediately clicked on the Internet link included in the message that said it would allow him to dispute the charge. As the 29-year-old resident of southwestern England scoured the resulting Web page for the merchant's phone number, the site silently installed a password-stealing program that transmitted all of his personal and financial information.
Frost is just one of thousands of victims whose personal data has been stolen by what security experts are calling one of the more brazen and sophisticated Internet fraud rings ever uncovered. The Web-based software employed by ring members to manage large numbers of illegally commandeered computers is just as easy to use as basic commercial office programs. No knowledge of computer programming or hacking techniques is required to operate the software, which allows the user to infiltrate and steal financial information from thousands of PCs simultaneously.
The quality of the software tools cyber criminals are using to sort through the mountains of information they've stolen is a clear sign that they are seeking more efficient ways to monetize that data, experts say.
"We believe this to be the work of a group, not a single person," said Vincent Weafer, senior director of security response at Cupertino, Calif.-based computer security giant Symantec Corp. "This type of sophistication really shows the ability that [criminals] have to do 'data mining' on where all this stolen information is coming from."
Frost's data, along with information stolen from thousands of other victims, made its way to a Web site hosted by a Russian Internet service provider. The site is currently the home base of a network of sites designed to break into computers through a security hole in Microsoft's Internet Explorer Web browser. The data thieves use the IE flaw to install programs known as "keyloggers" on computers that visit the specially coded Web pages. The keyloggers then copy the victims' stored passwords and computer keystrokes and upload that information to the database.
The central database feeds the stolen data back to Web sites running the hacking software, where hackers can sort it by any number of variables, such as financial institution or country of origin -- powerful tools for anyone trying to squeeze as much income as possible out of their illegal activities.
To Weafer, the software appears to have been professionally designed for sale or rent to organized criminal groups. His team was tracing the origins of a new password-stealing program in February when it spotted at least three of the hacking Web sites.
The software -- viewed by a reporter on one of the sites, which washingtonpost.com is not naming because it remains active -- displays detailed graphs showing the distribution of victims by country. At time of this publication, the site harboring Frost's information was receiving a stream of illicit data from a network of roughly 3,000 infected PCs mostly located in Spain, Germany and Britain.
The hacking software also features automated tools that allow the fraudsters to make minute adjustments or sweeping changes to their networks of hacked PCs. With the click of a mouse or a drag on a pull-down menu, users can add or delete files on infected computers.
They can even update their spyware installations with new versions tailored to defeat the most recent anti-virus updates. With one click on the Web site's "Add New Exploit" button, users can simultaneously modify all of the keylogger programs already installed on their networks.
Symantec and other security experts also have spotted earlier versions of the software installed on at least two other Web sites, one of which is still active and has harvested password information from nearly 30,000 victims, the bulk of whom reside in the United States and Brazil.
Watching While You Type
Keyloggers are fast becoming among the most prevalent and insidious online threats: More than half of the viruses, worms and other malicious computer code that Symantec now tracks are designed not to harm host machines but to surreptitiously gather data from them. In fact, none of the victims interviewed for this story were aware their computers had been seeded with the invasive programs until contacted by a washingtonpost.com reporter.
These keylogger-control Web sites follow a trend toward automation in other realms of online fraud, such as virus-creation programs, spamming software and pre-packaged toolkits to help fraudsters set up "phishing" sites -- Web pages designed to trick people into giving away their personal and financial data at what looks like a legitimate e-commerce or banking site.
"This type of plug-and-play, click-and-hack software simply represents the commercialization of criminal activity, and in many respects lowers the technical knowledge barrier of entry to this type of crime," Weafer said.
Microsoft released a patch in January to fix the software flaw that hackers used to break into Frost's computer, which involves the way IE processes certain types of digital images. As early as two weeks before the patch's release, online criminals were already hacking into thousands of small-merchant Web sites and embedding code that would silently install keyloggers when users browsed the sites with IE.
Frost blames himself for the theft of his personal information. He said the Web site that launched when he clicked on the link in the fraudulent e-mail belonged to a legitimate online camera store, and that the woman he spoke with at that store even told him that her site had been hacked and that it had probably downloaded "some kind of virus to his computer."
Frost also admits he ignored her warning and put off installing the latest patch, something he said he plans to rectify after re-installing the operating system on his computer. Meanwhile, he's had to arrange new online login credentials for his bank and reset his eBay and Paypal passwords, all of which were found on the hacking Web site.
Still, one detail is gnawing on Frost's mind: The timestamp on the text files containing his password information indicate his data was stolen on Feb. 22, yet neither his bank nor eBay nor PayPal has since reported any suspicious activity on the account. "I'm relieved to know it could have been a lot worse."
Eric Sites, vice president of research and development at Sunbelt Software, an anti-spyware company in Clearwater, Fla., said it is likely that Frost's data had not yet been sold or transferred to other criminal syndicates who specialize in laundering money in Frost's geographic region.
"This sorting process allows the bad guys to zero in on the countries that they have experience with and sell the data to criminals who can make the most of it in that country," Sites said. "We have seen this type of data being sold before, and some of the stolen information will filter all the way down to criminals on the street using a [counterfeit] credit card."
John Bambenek, a security incident handler at the Bethesda, Md.-based SANS Internet Storm Center, which monitors hacking trends, agreed.
"The reason there is often a delay is that a lot of the people who actually install a lot of these keylogger programs are not that sophisticated," Bambenek said. "In most cases, they're teenage hackers who flip the information to more organized criminal groups for some quick cash."
The scourge of keylogger programs is pervasive and growing, Bambenek said. He recently conducted an analysis for SANS estimating that nearly 10 million U.S. households own a computer that is infected with some type of keystroke logging program. Although not every PC user whose keystrokes are being logged has experienced financial losses -- perhaps because hackers are busy sifting their illicit logs for rare kinds of data -- Bambenek estimates that organized-crime groups have access to roughly $24 billion in bank assets from accounts associated with the owners of those infected machines.
Point, Click, Hack
Sunbelt began tracking one of the keylogger control Web sites back in August 2005, when the criminal group behind the site was using an earlier known Internet Explorer flaw to break into Windows PCs and collect data from thousands of victims.
washingtonpost.com is not naming that site because it too is still online. The company that hosts the site, District of Columbia-based HopOne Internet Corp., did not return calls and e-mails seeking comment.
Larry Johnson, special agent in charge of the criminal investigative division at the U.S. Secret Service, said the agency is keeping close tabs on the keylogger sites, which he said offer invaluable intelligence on the workings of online financial fraud groups.
"We know where these guys are and what they're doing, and we could probably take them off of that hosting site, but it just becomes a Whac-a-Mole problem, where we lose them for a while and then may not know what they're doing," Johnson said.
Johnson stopped short of saying whether the Secret Service had opened an investigation into the matter. "We do have a few things going on right now that we feel will disrupt some of these types of operations," Johnson said. "We're not interested in just sitting idly by."
Sunbelt's Sites said the proliferation of keylogger-driven fraud signifies that the hackers and criminals using malware to steal peoples' personal information are seeking a better system to manage the stolen data because they are so successful at stealing it.
"The amount of stolen data has become overwhelming to security researchers who find it while tracking down the bad guys," Sites said.
Keyloggers programs have been around for years, but only recently have security experts begun finding large online troves of keylogged information organized in large back-end databases for remote Web sites.
Last week, Sites discovered another currently active keylogger control Web site registered to an individual in Russia. One of the files on that site was a large text document containing the raw keylogged data from hundreds of computers infected with "Winldra.exe," a popular keylogger program. Winldra is attributed to the owners of Ratsystems.org, a Russian site that sells a variety of malicious software and identity theft services.
Kingsland, Ga., resident Justin Rollins, 28, was among those whose private data was stored on the Russian server. Rollins said he's not sure how the keylogger got onto his Windows XP computer, but he confirmed that the information found in the text file included the user names and passwords he had stored in IE for his eBay, Paypal, credit union and Hotmail accounts. The text file indicates the keylogger began uploading his account information on Valentine's Day.
"I guess it's one of the down sides of the Internet that it makes things more convenient, and then you have people design stuff like this to make things miserable for people," Rollins said.
Some of the more advanced keylogger programs in use today can even take snapshots of the image on the computer screen when the victim visits a Web site that requires a user name and password. Experts say this "screen scraping" functionality originally was built into many keystroke loggers to defeat anti-keylogger security measures -- used mainly in Britain and South America, where the threat is the worst -- that require online customers to log in by using a mouse to click on a keyboard image on their screens rather than type on their actual keyboards.
Vulnerability Can Be Contagious
The following account, pieced together by tracing the trail of keylogged data, illustrates how even companies that follow all of the best precautions on computer security can fall victim to cyber crime when their business partners have been compromised.
One massive trove of keylogged data on a Web site discovered by Sunbelt included screen grabs for several victims, including an employee of Blueox Corp., an Oxford, N.Y., heating, air conditioning and fuel delivery service. Blueox's data was inside a folder titled "United States," which included user names and passwords from at least a hundred other infected computers around the country. Other folders on that site contained password data from victims in more than 60 other nations.
Just after noon ET on March 10, a keylogger was planted on the computer used by the company's controller, according to the time stamp and name at the top of the text file that contained her data.
The keylogger on her computer had recorded and transmitted to the attackers' Web site the user name and password for Blueox's corporate bank account, as well as the credentials that the company uses to purchase fuel supplies online from Gulf Oil. Along with the text file containing the stolen login data were two screen shots that the attackers apparently took at the moment she logged into each account.
That same keylogger Web site held sensitive password data belonging to BPP Management, a company that oversees a string of gas stations in the White Plains, N.Y., area. The attackers had installed a keylogger on the computer used by BPP's controller, compromising the credentials the company uses to access its accounts at a major New York bank.
Earlier this week, both companies discovered how the attackers broke in: The intruders had compromised Gulfoil.com, a site which employees of both Blueox and BPP Management visit regularly as wholesale buyers.
Graham Spinney, director of information technology at Gulf Oil, confirmed that sometime on March 10, hackers broke into the company's Web site and planted code that redirected visitors to another site. The false site informed visitors that they needed to install a security update to continue logging in to their Gulfoil.com accounts.
The "security update" was in fact a keystroke logger. The attackers' site also installed a software tool used to remotely view, add or delete files on victims' computers.
David Martin, who oversees all of Blueox's computer operations, called the keylogger infestation "his worst fears come true" after verifying the company's login information with a reporter.
"You know, you think you've covered all your bases security-wise, and then something like this happens," Martin said. The company is still in the process of checking whether the attackers used the information to steal any money.
"I thought we had our arms around the computer situation," Martin said, "but apparently we don't."
One reason keyloggers are becoming so prevalent and stealthy is that far too many Windows users rely on anti-virus programs to stop attacks while continuing to ignore safe-computing advice, according to Ken Dunham, director of rapid response for Reston, Va.-based iDefense, a security subsidiary of VeriSign.
That advice has changed little since the first computer viruses appeared: Stay up to date on security patches and be extremely wary of clicking on links and attachments that arrive unbidden in instant messages and e-mail.
"The number one thing the majority of the malicious code we're seeing now does is disable or delete anti-virus and other security software," Dunham said. "In a lot of cases, once the user clicks on that attachment, it's already too late."