Webroot uncovers thousands of stolen identities

Spyware researchers at Webroot Software. have uncovered a stash of tens of thousands of stolen identities from 125 countries that they believe were collected by a new variant of a Trojan horse program the company is calling Trojan-Phisher-Rebery.

The FBI is investigating the stolen information, which was discovered on a password-protected FTP (File Transfer Protocol) server in the U.S. and is believed to be connected to a Trojan horse that is installed from the Web site teens7(dot)com. The information, organized by country, includes names, phone numbers, social security numbers, and user log-ins and passwords for tens of thousands of Web sites, according to information provided to InfoWorld by Webroot.

The discovery is just the latest evidence of rampant identity theft by online criminals who use malicious Web sites, common software vulnerabilities and keylogging software to harvest information from unsuspecting Web surfers.

The Trojan was discovered on April 25 by Dan Para, a member of Webroot's Threat Research Team, who was investigating one of a number of malicious files installed using "drive by downloads" from the teens7(dot)com Web site. In drive by downloads, software vulnerabilities in Web browsers are exploited so that malicious software can be pushed down to the machine running the Web browser, usually without any warning to the computer's owner.

The Rebery malicious software is an example of a "banking" Trojan, which are programmed to spring to life when computer owners visit one of a number of online banking or e-commerce sites, said Gerhard Eschelbeck, CTO at Webroot.

Webroot notified the FBI after it discovered the stolen information, which had been groomed and organized in folders by country where it was "ready to be sold," Eschelbeck said. The stolen data was hosted on an FTP server hosted by nLayer Communications in New York, according to Webroot. However, the company does not know who is behind the scam, Eschelbeck said.

"It's probably an individual who set it up," said Eschelbeck. However, it is unlikely that the individuals running the Web site or hosting the FTP server have any direct knowledge of the scam, he said.

Rebery is still "running wild" on the Internet, Webroot said. The company believes there are more than 12,000 systems infected with the Trojan, 1,200 of them in the U.S.

The stash of stolen identities is just one of many that have been uncovered in recent months, as identity theft has evolved into a lucrative operation for online criminal groups.

Researchers at antispyware firm Sunbelt Software  have also uncovered stashes of stolen information harvested by keyloggers on more than one occasion, and company employees have, in the past, informed some consumers that their identities have been stolen.

Catching the perpetrators is a different matter, however. Often, criminals conduct their affairs from afar, connecting to their servers through one or more compromised machines, which are often scattered around the globe, making criminal investigation and enforcement difficult, experts say.