Hacking Made Easy

These keylogger-control Web sites follow a trend toward automation in other realms of online fraud, such as virus-creation programs, spamming software and pre-packaged toolkits to help fraudsters set up "phishing" sites -- Web pages designed to trick people into giving away their personal and financial data at what looks like a legitimate e-commerce or banking site.

"This type of plug-and-play, click-and-hack software simply represents the commercialization of criminal activity, and in many respects lowers the technical knowledge barrier of entry to this type of crime," Weafer said.

Microsoft released a patch in January to fix the software flaw that hackers used to break into Frost's computer, which involves the way IE processes certain types of digital images. As early as two weeks before the patch's release, online criminals were already hacking into thousands of small-merchant Web sites and embedding code that would silently install keyloggers when users browsed the sites with IE.

Frost blames himself for the theft of his personal information. He said the Web site that launched when he clicked on the link in the fraudulent e-mail belonged to a legitimate online camera store, and that the woman he spoke with at that store even told him that her site had been hacked and that it had probably downloaded "some kind of virus to his computer."

Frost also admits he ignored her warning and put off installing the latest patch, something he said he plans to rectify after re-installing the operating system on his computer. Meanwhile, he's had to arrange new online login credentials for his bank and reset his eBay and Paypal passwords, all of which were found on the hacking Web site.

Still, one detail is gnawing on Frost's mind: The timestamp on the text files containing his password information indicate his data was stolen on Feb. 22, yet neither his bank nor eBay nor PayPal has since reported any suspicious activity on the account. "I'm relieved to know it could have been a lot worse."

Eric Sites, vice president of research and development at Sunbelt Software, an anti-spyware company in Clearwater, Fla., said it is likely that Frost's data had not yet been sold or transferred to other criminal syndicates who specialize in laundering money in Frost's geographic region.

"This sorting process allows the bad guys to zero in on the countries that they have experience with and sell the data to criminals who can make the most of it in that country," Sites said. "We have seen this type of data being sold before, and some of the stolen information will filter all the way down to criminals on the street using a [counterfeit] credit card."

John Bambenek, a security incident handler at the Bethesda, Md.-based SANS Internet Storm Center, which monitors hacking trends, agreed.

"The reason there is often a delay is that a lot of the people who actually install a lot of these keylogger programs are not that sophisticated," Bambenek said. "In most cases, they're teenage hackers who flip the information to more organized criminal groups for some quick cash."

The scourge of keylogger programs is pervasive and growing, Bambenek said. He recently conducted an analysis for SANS estimating that nearly 10 million U.S. households own a computer that is infected with some type of keystroke logging program. Although not every PC user whose keystrokes are being logged has experienced financial losses -- perhaps because hackers are busy sifting their illicit logs for rare kinds of data -- Bambenek estimates that organized-crime groups have access to roughly $24 billion in bank assets from accounts associated with the owners of those infected machines.

Point, Click, Hack

Sunbelt began tracking one of the keylogger control Web sites back in August 2005, when the criminal group behind the site was using an earlier known Internet Explorer flaw to break into Windows PCs and collect data from thousands of victims.