Slashdot Mirror
Spyware Based ID Theft Ring Uncovered
phaedo00 wrote to mention an Ars Technica article discussing a massive identity theft ring uncovered by security software firm Sunbelt. From the article:"According to one of their employees, Alex Eckelberry, during the course of one of their recent investigations into a particular Spyware application--rumored to be called CoolWebSearch--they've discovered that the personal information of those 'infected' was being captured and uploaded to a server."
Not surprising. Also, this is one spyware app I find almost everytime I "fix" someone's computer. It's very widespread among those who are idiots with their security.
How many fulltime jobs can one man have?
Dude, that is so not cool.
John Walsh once found me while looking for some other kid. He was not amused.
This is something that has been around for years, no? I haven't run windows in 3 years, but I remember removing CWS many, many times over the years...
That's about as dumb a statement as I can expect to see in print this week. We know why someone would do it. Information is valuable in many different ways. Get a clue!
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
I have had to delete this numerous times on my parent's computers... I'm gonna have to go and make sure it's still not on there.
Didn't the old Prodigy service (a competitor to Compuserve, in the days before AOL) get a bad rap for a similar offense? Grabbing personal info and uploading it back to the Borg?
isnt this exactly what all spyware does?
hence the name "spyware"
Let's see how much attention this gets in middle America. The level of hystrionics will be a good indicator of what proportion of the public was consciously aware that spyware actually, you know, spies on you.
Quantum materiae materietur marmota monax si marmota monax materiam possit materiari?
You can download the original removal tool here (no longer updated): http://www.majorgeeks.com/download4086.html
You can download the currently maintained removal tool here, as intermute took over development from merjin and was aquired by trend micro: http://www.majorgeeks.com/Trend_Micro_CWShredder_d 3019.html
Overclockers
If you RTFA, you find that what they really found was that CoolWebSearch (or, more accurately, one if its variants) sends sensitive information to a server. There is no information that they have uncovered a "massive ring" of people involved. They have contacted the FBI and they'll be responsible for finding those responsible.
I did some research on CoolWebSearch (or "CWS") which is a pretty common spyware app, and it seems there are tons of variants. The majority of these apps are designed to get you to coolwebsearch.com in order to create affiliate money for the variant's creator - or at least that was the original idea. My guess is that only some of these variants capture privacy information.
More information on CWS is available from:
http://en.wikipedia.org/wiki/CoolWebSearch
http://www.google.com/search?q=CoolWebSearch
The space unintentionally left unblank.
But they're basically commissioning it with their PPC search engine model.
Also, if you've not read up on CWS and what they do - and how they do it - read this:
http://merijn.org/cwschronicles.html
Merijn's the original developer of CWShredder, and while his recording of CWS stops at the original about:blank strain, that's enough to tell you what kind of scum pull this.
Disclaimer: I use CWShredder in my work on SpywareInfo's antispyware boards.
Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
C'mon. This has been around for years. Has noone ever happened to turn on a packet sniffer or something while CoolWebSearch was active and seen some dodgy traffic? And CWS is pretty well known. I'd bet it's been deconstructed at least once. And if someone's taken the time to reverse-engineer it, I'm sure they'd look through the code they got back, and notice that there were some socket writing subroutines.
HAH! I just wasted a second of your life making you read this, but I wasted a minute of mine thinking it up. DAMN.
How can it be called ID Theft if the original owner still has his identity?
If you haven't heard of it before, CoolWebSearch has reigned as one of the nastier pieces of spyware for quite a while now. It's hardly surprising they would sink this low.
Ow wait, they stole passwords and such too... Nice, maybe this will make things more clear for some people:
spyware = criminals
CoolWebSearch is among - if not the most - annoying, underhanded, and pain in the ass to remove spyware aps out there.
Not only were most people infected via a security exploit in MS Java, they constantly release updates that break or modify spyware removal programs, windows utilities such as MSconfig, regedit as well as blocking the sites on which the removal tools are hosted.
I have no problem with the book being thrown at these punks.
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
My Dad bought a new ThnkPad, and before I let him anywhere near it, I spent an hour downloading CWSShredder, Spybot, Ad-Awaare, et al before I connected to the 'net. It's been 10 years since I owned a Windows machine, and this was the first one I'd set up since then. It was an eye-opener for me as to just how bad it is out there in the Windows world.
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
Quite apart from the issue of identity theft.. the installation of the software itself is done illegally according to the laws of most countries. Silent drive-by downloads constitute unauthorised access.
HOWEVER.. CoolWebSearch have claimed in the past that these silent drive-by installations were the work of "affiliates" and not CoolWebSearch itself. Personally, I have always suspected that the affiliates were working in this way with the tacit approval of CoolWebSearch.
It's about time somebody got sent to jail for a LONG time for this kind of crap.
Never email donotemail@WeAreSpammers.com
Well, this page lists all the URLs associated with CWS.
/etc/hosts.
Add these hosts to your webfilter/proxy blocking list:
coolwebsearch.com, webcoolsearch.com, 193.125.201.50, 1stpagehere.com, 66.250.130.194, adulthyperlinks.com, allhyperlinks.com, approvedlinks.com, bestcrawler.com, cantfind.com, carsands.com, cool-web-search.com, coolfreepage.com, coolwwwsearch.com, couldnotfind.com, defaultsearch.net, dev.ntcor.com, ewebsearch.net, findloss.com, findwhat.com, firstbookmark.net, freebookmark.net, freebookmarks.net, global-finder.com, itseasy.us, jethomepage.com, jetseeker.com, kazaa-lite.ws, martfinder.com, mommykiss.com, mywebsearch.net, noblindlinks.com, ok-search.com, pedo.ws, runsearch.com, search-2003.com, search.xrenoder.com, searchdesire.com, searchv.com, searchxp.com, sharempeg.com, slawsearch.com, slotch.com, stopxxxpics.com, super-spider.com, super-websearch.com, the-exit.com, the-huns-yellow-pages.com, topsearcher.com, unipages.cc, web-search.tk, white-pages.ws, youfindall.com, youfindall.net, yourbookmarks.info, yourbookmarks.ws
And/or add 127.0.0.1 before each host, and add those to your
And posted about a network of sites I found over a year ago on news.admin.net-abuse.email when looking at a Scientology management company I notice that someone tossed a cancel at my post within a day. (By coincidence, Sunbelt Software is up to its eyebrows in Scientology too.)
One line blog. I hear that they're called Twitters now.
a lot of people ask will middle america wake up to this? the answer is no. there is many types of free kinds of software available online to combat spyware. there are online services from trendmicro that will scan your machine for viruses and spyware. why not take the time out to do that?
oh wait.. previous slashdot article.. people with spyware infected machines think that their computer is just running slow and it's just time for a new one.
probably in 5 or so years, spyware and virus will usually be in the same sentance, because not a lot of people take it seriously. i believe that a lot of browsers (*cough*IE*cough cough*IE IE*cough*) do very little to stop the spread of spyware. however, microsoft is making slow strides by eating/taking over giant antispyware, who had an awesome product!
basically you need microsoft antispyware, bhodemon (to check for IE BHO's), tcpview from sysinternals, clamwin's free anti-virus scanner, and especially firefox. i don't even have spyware scanners on my desktop anymore since i've stopped using IE.
lameness filter thwarted.
How can it be called ID Theft if the original owner still has his identity?
Parent post is not a troll; it identifies the main error in the article.
What happened is that some spyware harvested very personal info about some people. That's bad, possibly criminal. But it's not identity theft.
Identity theft occurs whebn somebody takes the personal information and uses it to pose as you, draining your bank account, sleeping with your girlfriend, or in some way abusing the illicit information. There's no direct evidence of that here.
It's the old kevin mitnick scenario: breaking into a system and wandering around is not the same crime as breaking into a system, changing or destroying files, is not the same crime as breaking into a system and using the info to commit real world crimes such as wire fraud or embezzlement.
Article is FUD.
Spyware is bad. This spyware is bad.
People should avoid broken browsers e.g. microsoft, and run spybot/adaware type sweepers.
Lying about the problem won't help fix it. Mod parent up.
"security" firm sunbelt just now stumbled upon coolwebsearch and discovered it's recording users data? Let's clarify, EVERYONE knows that coolwebsearch is spyware, and has for a long time. Hell, my uncle can barely turn on a computer and he knows CWS is spyware.
Main Entry: spyware
Part of Speech: noun
Definition: any software that covertly gathers information about a user while he/she navigates the Internet and transmits the information to an individual or company that uses it for marketing or other purposes
Even websters knows that "spyware" records personal data. What I'm stuck pondering is why Sunbelt deserve any credit, and why this is news? They didn't discover anything new, it's not a breakthrough. Hell, there's programs out there dedicated solely to removing CWS.
HEADLINE!!!
SPYWARE COLLECTS PERSONAL INFORMATION ON YOU*
*that's why we call it spyware dipshit
I believe CoolWeb uses exploits in MS's Javascript rather than their ActiveX exploits.
One line blog. I hear that they're called Twitters now.
yeah, there's also no "software" on those "better operating systems." some of us enjoy our games, and our mainstream applications that we use at work, and don't have the time, money, or patience to build a second box for that purpose. wouldn't it be better if these idiots were held responsible for their BS? oh, and don't forget the biggest reason those other OS's have less of this crap: the reason is because there aren't enough users for it to be a worthwhile endeavor. want viruses, trojans, and spyware on your linux box, or your mac? keep advocating other non-windows operating systems, and maybe, if large groups of people hear you and migrate, you'll get it. what you have now is "security through obscurity," but when Linux (or mac, or whatever) becomes the mainstream, you'll see what less-vigilant windows users have struggled with for years. the best available solution is a good firewall, good spyware cleaner, good antivirus, and a bit of common sense that, no, you really shouldn't install every neat little gadget without knowing what you're putting in your box. a non-existing, ideal solution would be castrating these jerks who put this crap on other people's computers (which I then have to clean off), or if these people would just learn a way to make money that didn't involve other people's time being wasted... but saying that "oh, you should migrate over to this other platform" is not a good answer, because most people don't have the know-how to make another platform work, or they need the software available on the platform they're on.
It wasn't done by CWS, it was done by someone pretending to be them.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Actually, I agree with you; asshats that make and use spyware should be found and held responsible for it. Same goes for SPAM. That said, I walked away from MS altogether about a decade ago, and I don't think I'm missing very much. They really need to get their design together, IMHO so that shit like this isn't even possible in the first place. Or at least, it should be *much* more difficult to create and use malware.
C|N>K
OK, OK, calm down. Let me just say that there are many good pieces of software on other platforms. In my line of work, the selection of technical software available for Linux can't be beaten. But there are also a lot of folks out there who like Windows, and its software satisfies their needs. And that's all good.
Now:
That's good, but some of these cost money on top of the base operating system. Common sense is a very good defense too, but what's required is computer common sense. A lot of people aren't experienced enough to know all the ins and outs of a system. Furthermore you missed the biggest, most effective shield of all, one that is sorely overlooked by anti-malware forums:
And no, I'm sorry but "such-and-such program doesn't work with this" is no excuse. There are nearly always routes around it. If not, drop the program. Write to the author and tell them to produce decent code that doesn't require admin privileges for non-administrative tasks.
Couple that with an alternative browser for that extra layer, and the Windows XP firewall blocking all incoming ports, and you should do fine. The worse that could happen is something attempts to infect your user profile (and very few malware, if any, do this because compromised systems are of more use); in which case, just take off your work and nuke the account. It's not impossible to secure Windows XP, but I think it does require more than common sense.
Couldn't they just present a someone else's info when arrested?
Then when they get out on bail, skip town.
Then the police would find themselves starting all over again?
I guess the only way that might not work is if the police already have their prints and true identity on file.
But then, the other ID on file might be false too.
DEAD DEAD DEAD DELETE ME
It looks like to me that Sunbelt is trying to cover up Scientology involvement in CWS from the link http://groups-beta.google.com/group/news.admin.net -abuse.email/browse_frm/thread/5548a6300756d6a0/0f ac1b5d8ff3f14e#0fac1b5d8ff3f14e supplied earlier in the thread.
I can't keep thinking "how convenient." Especially since adware/spyware is coming increasingly under the gaze of the Federal Trade Comission and the Justice Department.
Steve's Computer Service, Hobbs, NM
I've seen very resonably "secure" desktops get spyware all the time. Windows firewall, linksys NAT routers, no admin login, passworded accounts, etc.
There's been so many dozens of IE vulnerabilties that allow software to be installed with *zero* user interaction that it doesn't take a security "idiot" to get smacked by these things.
- It's not the Macs I hate. It's Digg users. -
I'm still a little surprised that UBCD for Windows (its a full featured Windows boot disk creation toolset) hasn't caught on more then it has.
:)
I'm assuming you're trying to be silly even mentioning hash checking, because that would be overkill for the average desktop users (but certainly something you'd have already done on a production system, and there are plenty of tools for that already).
Just the boot disk should do fine for most peoples needs: from it run your AV (its always a good idea to run a second scan using another program, 3 were provided last time I checked) and run your AW scan (I don't recall if it includes more then one). Another good idea is running a tool like Cexx's lspfix which can be used to remove unwanted software directly from you TCP/IP stack (which of course means if you don't know what your doing you can ruin your stack).
99% of the average computer users problems can be solved with that toolset alone.
Of course your right, the correct procedure does start with shutting down the compromised system but after that most windows users can stick to a road more frequently traveled.
Quack, quack.
Hi, I'm the author of the Ars article and the submitter of this story, Alex from sunbelt got back to me with a bit more information:
Basically, it went like this:
Patrick Jordan, our CoolWebSearch expert, was doing research on a CWS exploit. During the course of the research, he disovered that a) the machine he was testing became a spam zombie and b) it send a call back to a remote server. He traced back the remote server and found what you have heard about.
The scale is unimaginable. There are thousands of machines pinging back in a day. There is a keylogger file that grows and grows, and then is zipped off and then the cycle continues again.
It is sophisticated. There are nifty little PHP scripts that help the criminals get reports. There is a special upload area.
It's really quite sucktastic.
Is this the same Sunbelt Software that did a study with the Yankee group that resulted in the claim that the TCO of Windows is less than that of Linux?
The real "Libtards" are the Libertarians!
how do we know that the removal tools don't actually install more spyware. or simply hide the existing spyware better?
Can you be Even More Awesome?!
Your post is spot on, buddy.
.02
Running from a limited user account coupled with using a non-IE browser removes nearly every (current) major malware attack vector. Running under a limited user account can be a pain in the ass, but there are a few things to remember to help improve the experience:
1. Some programs/shortcuts will not show "Run As..." in the context menu (for example: Control Panels). Try holding the shift key down when you right click. Viola! "Run As..." now show in the context menu.
2. If you need to do "drag and drop operations" or manual editing of restricted areas (Program Files directory, Windows directory, etc...) you may have noticed that explorer.exe will not "Run As..." (even if you hold shift). The solution? Use IE. Run IE as admin, navigate to "C:", and now you have an instance if explorer.exe running as admin from within a LUA.
3. When all else fails, you can always install pesky apps to your user space (C:\Documents and Settings\Username\). This is not the "safest" thing, but it is head and shoulders above running from an admin account.
Just throwinng in my
I work for Sunbelt Software as VP of Research & Development. While one of my spyware researchers was tracking down new variants of CoolWebSearch he came a cross a payload of crap that was downloaded to his VMware. This payload included a program that monitored the user internet traffic, chat activity and Windows protected storage store. When using Internet Explorer with autocomplete turned on, your autocomplete info gets stored in protected storage. This piece of spyware collected your protected storage info plus URLs, chat activity and website usernames and passwords. The real problem with this spyware was that it collected this information and posted it back to a public website that anyone could go to and read all of your personal information. Some examples of this include all the credit card info entered on HTML forms while purchasing something online. It did not matter that the webpage was using HTTPS. This website had collected over 500 different computers very private information within a 24 hours period. Including chat activity and login info to online bank accounts. One company had over $380,000 in a compromised account. The information was not the normal info collected for hacking purposes. It was collected to steal your money, SSN, credit card info, address, and identity. We have already found two variants of this spyware with multiple locations for its stolen info upload. We are working with the FBI and Secret Service to track everything back to the source.
Eric Sites
VP of Research & Development
Sunbelt Software, Inc.
It was pedantic. The definition of theft is not a relevant issue, and it's usage is grammatically correct anyway.
The word identity is a relative term, and since the point of view from which the theft occurred (could be from the POV of a electronic business transaction that exists for milliseconds in which posession is determined once and never considered again) it is a waste of time to question the author's grammar when there are much more important issues in question.
I run Linux for my primary desktop -- have for 5 years. I run WinXP in VMWare, with snapshots enabled. So when I wish to experiment with questionable sites and programs, I roll back when I'm done.
That said, if CWS is as nasty as every says, I'd *love* to let it loose in a sterile VM and try my hand at removing it manually (mainly using the Sysinternals suite of programs to find the offending process/dlls/etc., snoop the traffic by routing vie the Linux host box, and using a boot disk or LiveCD to disable/remove the thing).
Sure, anyone can run the canned spyware removal tools. It's like hunting deer with spears -- hardly practical given current technology, but you'll sure learn a hell of a lot about your prey. :-)
Method of processing duck feet
Because of crap like this, I've opened another savings account in which I keep most of my money. The difference between this new one and the prior one - which I still maintain, but with smaller dollar amounts - is that I'll never check the new account's status online. Pretty ridiculous as I do everything online (yes, even sex!) but the security risk involved and the fact I could lose a good amount of money, with little chance of recovery (or having to jump through a million hoops to get anything back) has led me to this.
Another reason to open a secure offline account is that my old account is connected to Paypal. All sorts of stories what can happen there.
The future? Everyone has a secure offline account and an online account. Kind of like everyone has a real email, and a throwaway hotmail or yahoo account.
There's nothing visibly connecting that Hubbard management company to that spyware operation other than a lot of their old sites were harvested. And there's nothing showing that the operation that I saw a year ago is the same one as Sunbelt found. And I never disected the spyware to see what its main purpose was. Accusing Sunbelt of other than what the story says would be a heck of reach even for me, and I'm way biased. ;^)
But I do hope law enforcement digs deep into who that malware gang was connected to.
One line blog. I hear that they're called Twitters now.
>How can it be called ID Theft if the original owner still has his identity?
This is just a pathetically lame attempt to confuse the issue. It doesn't matter that "the original owner still has it" since a liability has been associated with it and its owner may even wish he didn't "still have it". This isn't like stealing software or music.
What happened is that some spyware harvested very personal info about some people. That's bad, possibly criminal. But it's not identity theft.
Identity theft occurs whebn somebody takes the personal information and uses it to pose as you, draining your bank account, sleeping with your girlfriend, or in some way abusing the illicit information. There's no direct evidence of that here.
I'd say there's pretty good evidence. A spyware program is uploading keystrokes to a server. What do you think is going on, Officer Barbrady?
It's the old kevin mitnick scenario: breaking into a system and wandering around is not the same crime as breaking into a system, changing or destroying files, is not the same crime as breaking into a system and using the info to commit real world crimes such as wire fraud or embezzlement.
Are you trying to suggest that Mitnick's motive was the one in play here? Mitnick broke into restricted systems mostly to prove that he could do it. Which is an odd motive, but it's still believable. It's simply not a credible hypothesis that someone would design and distribute a spyware program to infect machines, run a keylogger, and upload keystrokes to a server- just to prove they could do it. Nor is it believable that nobody accessed the information accumulating on the server, or even that the server's location was a secret known to a restricted group of people. In this case the researchers showed that anyone with an infected machine would have been able to find the uploaded keystroke logs.
Here's the related post to ars just before the one to nanae. Much the same, but it shows a bit more of the detail. (The nanae crowd could do their own homework of that type.)
One line blog. I hear that they're called Twitters now.
"Give a man a fish, and he eats for a day, teach a man to fish, and he eats for a lifetime."
And I thought it was:
Give a man a fish, feed him for a day. Teach a man to fish, he's gone every weekend.
Or, maybe:
Give a man a fish, feed him for a day. Teach a man to fish, you've lost your fish monopoly.
Exam 4/C again. Maybe I'll do better this time.
Five bucks says that the 'outfit' in Las Vegas has Scientology ties.
Steve's Computer Service, Hobbs, NM
Whenever I come across a computer with CWS I've cringed. It's good to learn of CWShredder, and hopefully that will make my life easier.
Now that story is out there, hopefully people will realize that spyware writers are no better than virus writers, and should be put into jail.
Saskboy's blog is good. 9 out of 10 dentists agree.
Well... Here's some fun. My original post showed the harvested domain did a 302 Found redirection to 66.96.215.226. That rinky-dink NET-66-96-215-215-1 block hasn't changed since 2001-06-29. Taking the address of the owner and dropping it into Mapquest, and .. voila! Just down the road from Clearwater. (Doesn't prove anything. Florida is loaded with spammers and scammers of all types.)
One line blog. I hear that they're called Twitters now.
about spyware? Let's face it, Sunbelt Software has a long history of spamming...
Not to mention the entire Clearwater/$cientology thing...
Then again, who better to look into the entire spam/spyware connection. They're simply vetting out the competition, right? What a world.
Some of the referenced articles point to the CWS website being hosted by an ISP in the USA (State of MA). It would seem like that would be an opportunity to get the information of those responsible... either by gaining access to systems / physical property or simply beating the answer out of the company owners.....
Another nice tactic would be if virus writers would release other malicious viruses using the CWS name and website, set CWS up for a nice fall and huge legal action.
You can always follow the money. Heck, offer to pay CWS to run banner ads on their hijack search engine then go rm the people accepting the money.
Southeastern Virginia REPRESENT!
Is anyone else disturbed in the least by the fact that they chose to post all of this information publically before an investigation was completed? Given that it's on a site as popular as
Granted that it was this publicity that allowed the investigation to begin, what are the chances that this will yield anything useful?
The ARIN record lists a home.com email address, but that redirects to a com.org site (a network solutions domain according to internic). An MX lookup on home.com doesn't return a record, which doesn't surprise me at all. The contact phone number listed is a 604 area code which turns out to be Canadian...
"Region
British Columbia
Cities
Boston Bar
Chilliwack
Hope
Pemberton
Powell River
Vancouver "
A search on the Canadian number just returns...
"We're sorry. We did not find a listing for the phone number you entered.
The phone number "(604) 313-3412" is a Vancouver, BC based phone number and the registered carrier is TELUS Mobility. However, due to number portability, some numbers have been transferred to a new service provider other than the registered carrier."
Whoever or whatever is holding it doesn't wish to be contacted to the extent that they are willing to falsify ARIN information. I wonder what ARINs policy on that is?
Steve's Computer Service, Hobbs, NM
In fact, now that Firefox has gained some market share, it's now a target of some spyware. I just removed MyWebSearch from a computer yesterday. It had a firefox plug-in. The history of this infection is interesting. The friend had install cursors from cursormania.com whose web site claims it installs no spyware or adware. Yea right! It had installed a dozen plugins, one of which prevented Outlook from working. User couldn't send email because Sygate personal firewall wouldn't Outlook contact the websearch site on port 80. (I'm anal and one of the things I did was limit Outlook to the smtp/pop ports on our email servers).
> Running from a limited user account coupled with > using a non-IE browser removes nearly every > (current) major malware attack vector. Except ignorant users. See my earlier post about a user installing cursor from cursormania.com. This was done on a restricted account running FireFox. Also of interest - it installed a Firefox plugin.
Finally, some hard evidence of spyware being used for identity theft. I hope the major news outlets pick this up. Spyware is not just an annoyance, like spam. Hopefully people will wake up and realize the threat to their privacy and financial security that spyware poses.
Probably not though, unless some gray-hat releases a variant that steals your info and then mails it all back to you. When folks start getting spam that contains their bank account password, then maybe they'll consider taking some action.