Spyware Based ID Theft Ring Uncovered

phaedo00 wrote to mention an Ars Technica article discussing a massive identity theft ring uncovered by security software firm Sunbelt. From the article:"According to one of their employees, Alex Eckelberry, during the course of one of their recent investigations into a particular Spyware application--rumored to be called CoolWebSearch--they've discovered that the personal information of those 'infected' was being captured and uploaded to a server."

It does WHAT?

[BandwidthHog]

Let's see how much attention this gets in middle America. The level of hystrionics will be a good indicator of what proportion of the public was consciously aware that spyware actually, you know, spies on you.

Hang them from lamp posts

[loraksus]

CoolWebSearch is among - if not the most - annoying, underhanded, and pain in the ass to remove spyware aps out there.
Not only were most people infected via a security exploit in MS Java, they constantly release updates that break or modify spyware removal programs, windows utilities such as MSconfig, regedit as well as blocking the sites on which the removal tools are hosted.

I have no problem with the book being thrown at these punks.

One of the very worst..

[Dynamoo]

CoolWebSearch is one of the very most spyware apps that I have to deal with.. it's a pig to remove (sometimes it's just easier to nuke the infected machine and start over) and it installs an alarming amount of Slimeware.

Quite apart from the issue of identity theft.. the installation of the software itself is done illegally according to the laws of most countries. Silent drive-by downloads constitute unauthorised access.

HOWEVER.. CoolWebSearch have claimed in the past that these silent drive-by installations were the work of "affiliates" and not CoolWebSearch itself. Personally, I have always suspected that the affiliates were working in this way with the tacit approval of CoolWebSearch.

It's about time somebody got sent to jail for a LONG time for this kind of crap.

I saw that connection a year ago

[AndroidCat]

And posted about a network of sites I found over a year ago on news.admin.net-abuse.email when looking at a Scientology management company I notice that someone tossed a cancel at my post within a day. (By coincidence, Sunbelt Software is up to its eyebrows in Scientology too.)

Updated information from Sunbelt

[phaedo00]

Hi, I'm the author of the Ars article and the submitter of this story, Alex from sunbelt got back to me with a bit more information:

Basically, it went like this:

Patrick Jordan, our CoolWebSearch expert, was doing research on a CWS exploit. During the course of the research, he disovered that a) the machine he was testing became a spam zombie and b) it send a call back to a remote server. He traced back the remote server and found what you have heard about.

The scale is unimaginable. There are thousands of machines pinging back in a day. There is a keylogger file that grows and grows, and then is zipped off and then the cycle continues again.

It is sophisticated. There are nifty little PHP scripts that help the criminals get reports. There is a special upload area.

It's really quite sucktastic.

Re:It's unbelievable at times

[Hawthorne01]

Downloaded on my Mac, burned to CD, installed on the ThinkPad. Next question.

Re:Bound to happen eventually

[51mon]

"also most of the problems on windows are well known viruses. cleaning up what you belive is a deliberate attack on YOUR system would obviously justify far more care."

I thought the whole point of the article was that the common malware may be being used for uncommonly nefarious purpose. Just because 10,000 people got hit by the same malware doesn't make it any less specific a threat to you. The "My city got hit by a nuke, so it is okay as they weren't targeting me personally" logic.

People have to learn that as soon as someone finds a way to get malware on your box it is effectively game over. If one person does it undetected, so can someone else. Reinstall.