Hacking Made Easy

One massive trove of keylogged data on a Web site discovered by Sunbelt included screen grabs for several victims, including an employee of Blueox Corp., an Oxford, N.Y., heating, air conditioning and fuel delivery service. Blueox's data was inside a folder titled "United States," which included user names and passwords from at least a hundred other infected computers around the country. Other folders on that site contained password data from victims in more than 60 other nations.

Just after noon ET on March 10, a keylogger was planted on the computer used by the company's controller, according to the time stamp and name at the top of the text file that contained her data.

The keylogger on her computer had recorded and transmitted to the attackers' Web site the user name and password for Blueox's corporate bank account, as well as the credentials that the company uses to purchase fuel supplies online from Gulf Oil. Along with the text file containing the stolen login data were two screen shots that the attackers apparently took at the moment she logged into each account.

That same keylogger Web site held sensitive password data belonging to BPP Management, a company that oversees a string of gas stations in the White Plains, N.Y., area. The attackers had installed a keylogger on the computer used by BPP's controller, compromising the credentials the company uses to access its accounts at a major New York bank.

Earlier this week, both companies discovered how the attackers broke in: The intruders had compromised Gulfoil.com, a site which employees of both Blueox and BPP Management visit regularly as wholesale buyers.

Graham Spinney, director of information technology at Gulf Oil, confirmed that sometime on March 10, hackers broke into the company's Web site and planted code that redirected visitors to another site. The false site informed visitors that they needed to install a security update to continue logging in to their Gulfoil.com accounts.

The "security update" was in fact a keystroke logger. The attackers' site also installed a software tool used to remotely view, add or delete files on victims' computers.

David Martin, who oversees all of Blueox's computer operations, called the keylogger infestation "his worst fears come true" after verifying the company's login information with a reporter.

"You know, you think you've covered all your bases security-wise, and then something like this happens," Martin said. The company is still in the process of checking whether the attackers used the information to steal any money.

"I thought we had our arms around the computer situation," Martin said, "but apparently we don't."

One reason keyloggers are becoming so prevalent and stealthy is that far too many Windows users rely on anti-virus programs to stop attacks while continuing to ignore safe-computing advice, according to Ken Dunham, director of rapid response for Reston, Va.-based iDefense, a security subsidiary of VeriSign.

That advice has changed little since the first computer viruses appeared: Stay up to date on security patches and be extremely wary of clicking on links and attachments that arrive unbidden in instant messages and e-mail.

"The number one thing the majority of the malicious code we're seeing now does is disable or delete anti-virus and other security software," Dunham said. "In a lot of cases, once the user clicks on that attachment, it's already too late."