Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spyware Based ID Theft Ring Uncovered

Posted by Zonk on from the dirty-pool dept.

phaedo00 wrote to mention an Ars Technica article discussing a massive identity theft ring uncovered by security software firm Sunbelt. From the article:"According to one of their employees, Alex Eckelberry, during the course of one of their recent investigations into a particular Spyware application--rumored to be called CoolWebSearch--they've discovered that the personal information of those 'infected' was being captured and uploaded to a server."

8 of 143 comments (clear)

  1. Misinformation? by LFS.Morpheus · · Score: 4, Informative

    If you RTFA, you find that what they really found was that CoolWebSearch (or, more accurately, one if its variants) sends sensitive information to a server. There is no information that they have uncovered a "massive ring" of people involved. They have contacted the FBI and they'll be responsible for finding those responsible.

    I did some research on CoolWebSearch (or "CWS") which is a pretty common spyware app, and it seems there are tons of variants. The majority of these apps are designed to get you to coolwebsearch.com in order to create affiliate money for the variant's creator - or at least that was the original idea. My guess is that only some of these variants capture privacy information.

    More information on CWS is available from:
    http://en.wikipedia.org/wiki/CoolWebSearch
    http://www.google.com/search?q=CoolWebSearch

    --
    The space unintentionally left unblank.
  2. CWS claimed "affiliates" do it... by Tuxedo+Jack · · Score: 4, Informative

    But they're basically commissioning it with their PPC search engine model.

    Also, if you've not read up on CWS and what they do - and how they do it - read this:

    http://merijn.org/cwschronicles.html

    Merijn's the original developer of CWShredder, and while his recording of CWS stops at the original about:blank strain, that's enough to tell you what kind of scum pull this.

    Disclaimer: I use CWShredder in my work on SpywareInfo's antispyware boards.

    --

    Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
  3. Re:Pedantic comment by Dunbal · · Score: 4, Funny

    How can it be called ID Theft if the original owner still has his identity?

          You're right. It sounds more like ID Piracy arr arr...! That's good, everyone knows the penalties for piracy are much steeper than those for theft...(ducking).

    --
    Seven puppies were harmed during the making of this post.
  4. Re:Bound to happen eventually by CaptnMArk · · Score: 4, Informative

    LOL

    It is funny how many people run anti virus and anti spyware software to clean up the mess while viruses and spyware might be still running on their machines.

    The only correct procedure is to boot from CD (or other read-only media (or perhaps move the disk to another machine and being very careful not to run anything from it).

    Then you verify hashes of all non-data files with known good values (easier said than done).

    Handling messy file formats where code and data are mixed (word, excel and to some extent html) is problematic too.

    Of course, an OS that can be actually booted from CD and has a real packaging system makes this much easier.

  5. One of the very worst.. by Dynamoo · · Score: 4, Interesting
    CoolWebSearch is one of the very most spyware apps that I have to deal with.. it's a pig to remove (sometimes it's just easier to nuke the infected machine and start over) and it installs an alarming amount of Slimeware.

    Quite apart from the issue of identity theft.. the installation of the software itself is done illegally according to the laws of most countries. Silent drive-by downloads constitute unauthorised access.

    HOWEVER.. CoolWebSearch have claimed in the past that these silent drive-by installations were the work of "affiliates" and not CoolWebSearch itself. Personally, I have always suspected that the affiliates were working in this way with the tacit approval of CoolWebSearch.

    It's about time somebody got sent to jail for a LONG time for this kind of crap.

    --
    Never email donotemail@WeAreSpammers.com
  6. I saw that connection a year ago by AndroidCat · · Score: 4, Interesting

    And posted about a network of sites I found over a year ago on news.admin.net-abuse.email when looking at a Scientology management company I notice that someone tossed a cancel at my post within a day. (By coincidence, Sunbelt Software is up to its eyebrows in Scientology too.)

    --
    One line blog. I hear that they're called Twitters now.
  7. Updated information from Sunbelt by phaedo00 · · Score: 4, Interesting

    Hi, I'm the author of the Ars article and the submitter of this story, Alex from sunbelt got back to me with a bit more information:

    Basically, it went like this:

    Patrick Jordan, our CoolWebSearch expert, was doing research on a CWS exploit. During the course of the research, he disovered that a) the machine he was testing became a spam zombie and b) it send a call back to a remote server. He traced back the remote server and found what you have heard about.

    The scale is unimaginable. There are thousands of machines pinging back in a day. There is a keylogger file that grows and grows, and then is zipped off and then the cycle continues again.

    It is sophisticated. There are nifty little PHP scripts that help the criminals get reports. There is a special upload area.

    It's really quite sucktastic.

  8. Re:It's unbelievable at times by Hawthorne01 · · Score: 4, Interesting

    Downloaded on my Mac, burned to CD, installed on the ThinkPad. Next question.

    --
    "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."