Hacking Made Easy

By Brian Krebs
washingtonpost.com Staff Writer
Thursday, March 16, 2006; 12:22 PM

When Graeme Frost received an e-mail notice that an expensive digital camera had been charged to his credit card account, he immediately clicked on the Internet link included in the message that said it would allow him to dispute the charge. As the 29-year-old resident of southwestern England scoured the resulting Web page for the merchant's phone number, the site silently installed a password-stealing program that transmitted all of his personal and financial information.

Frost is just one of thousands of victims whose personal data has been stolen by what security experts are calling one of the more brazen and sophisticated Internet fraud rings ever uncovered. The Web-based software employed by ring members to manage large numbers of illegally commandeered computers is just as easy to use as basic commercial office programs. No knowledge of computer programming or hacking techniques is required to operate the software, which allows the user to infiltrate and steal financial information from thousands of PCs simultaneously.

The quality of the software tools cyber criminals are using to sort through the mountains of information they've stolen is a clear sign that they are seeking more efficient ways to monetize that data, experts say.

"We believe this to be the work of a group, not a single person," said Vincent Weafer, senior director of security response at Cupertino, Calif.-based computer security giant Symantec Corp. "This type of sophistication really shows the ability that [criminals] have to do 'data mining' on where all this stolen information is coming from."

Frost's data, along with information stolen from thousands of other victims, made its way to a Web site hosted by a Russian Internet service provider. The site is currently the home base of a network of sites designed to break into computers through a security hole in Microsoft's Internet Explorer Web browser. The data thieves use the IE flaw to install programs known as "keyloggers" on computers that visit the specially coded Web pages. The keyloggers then copy the victims' stored passwords and computer keystrokes and upload that information to the database.

The central database feeds the stolen data back to Web sites running the hacking software, where hackers can sort it by any number of variables, such as financial institution or country of origin -- powerful tools for anyone trying to squeeze as much income as possible out of their illegal activities.

To Weafer, the software appears to have been professionally designed for sale or rent to organized criminal groups. His team was tracing the origins of a new password-stealing program in February when it spotted at least three of the hacking Web sites.

The software -- viewed by a reporter on one of the sites, which washingtonpost.com is not naming because it remains active -- displays detailed graphs showing the distribution of victims by country. At time of this publication, the site harboring Frost's information was receiving a stream of illicit data from a network of roughly 3,000 infected PCs mostly located in Spain, Germany and Britain.

The hacking software also features automated tools that allow the fraudsters to make minute adjustments or sweeping changes to their networks of hacked PCs. With the click of a mouse or a drag on a pull-down menu, users can add or delete files on infected computers.

They can even update their spyware installations with new versions tailored to defeat the most recent anti-virus updates. With one click on the Web site's "Add New Exploit" button, users can simultaneously modify all of the keylogger programs already installed on their networks.

Symantec and other security experts also have spotted earlier versions of the software installed on at least two other Web sites, one of which is still active and has harvested password information from nearly 30,000 victims, the bulk of whom reside in the United States and Brazil.

Watching While You Type

Keyloggers are fast becoming among the most prevalent and insidious online threats: More than half of the viruses, worms and other malicious computer code that Symantec now tracks are designed not to harm host machines but to surreptitiously gather data from them. In fact, none of the victims interviewed for this story were aware their computers had been seeded with the invasive programs until contacted by a washingtonpost.com reporter.

CONTINUED     1              >

© 2006 The Washington Post Company