Massive spyware-based identity theft ring involving CoolWebSearch

On edit: Other sources seem to be picking up this story. Additional citatations at bottom of post.


Massive spyware-based identity theft ring uncovered

8/5/2005 11:13:24 PM, by Clint Ecker

Researchers from a little-known security software company named Sunbelt Software have seemingly uncovered a criminal identity theft ring of massive proportions. According to one of their employees, Alex Eckelberry, during the course of one of their recent investigations into a particular Spyware application—rumored to be called CoolWebSearch—they've discovered that the personal information of those "infected" was being captured and uploaded to a server.

One can only speculate about why someone would do such a thing; the amount of data that could be gathered would almost certainly be daunting for even a few people to sift through and exploit. On the other hand, the researchers at Sunbelt have personally uncovered the personal information of two individuals who, combined, could be taken for well over US$350,000.

The list of stolen information includes not only bank accounts but website passwords, eBay accounts, what sort of adult images you fancy, and, supposedly, even more. The researchers initially had tried in vain to get a hold of someone who could take action on this issue but didn't get a response right away:

We have notified the FBI, but of course no response (too busy doing other more important things). We have notified a few of the parties involved...If anyone has any other ideas, send 'em to us. Right now, we're sitting upon literally thousands of pages of stolen identities that are being used right now.

Good news came today, though, that the FBI had responded and are currently working the case. We've emailed Alex and tried to see if we could get any more details about the whole thing out of him, but at the time of publication, we had not received a response. Hopefully the people who've perpetrated this massive-scale theft of personal data can be quickly caught and brought to justice due to the quick actions of Alex Eckelberry and the researcher who discovered the crime, Patrick Jordan.

More:
http://arstechnica.com/news.ars/post/20050805-5175.html



See also:

Sorted by relevance Sort by date

Because CoolWebSearch Wasn't Sleazy Enough...
BroadbandReports.com, NY - Aug 5, 2005
Anti-Spyware firm Sunbelt Software "stumbled upon" a massive ID theft ring that had been using a CoolWebSearch variant to dump personal info gleaned from
http://www.broadbandreports.com/shownews/66178

Anti-spyware firm warns of massive ID theft ring
NetworkWorld.com, MA - Aug 5, 2005
... research Sunbelt was doing on a spyware program belonging to a particularly dangerous class of browser hijacking tools called CoolWebSearch (CWS), according to ...
http://www.networkworld.com/news/2005/080505-id-theft.html

Spyware 'calling home' volumes soar
Register, UK - Jul 25, 2005
... The firm said malware such as CoolWebSearch, which hides on an infected client using newly developed root-kit architecture, often evades detection
http://www.theregister.co.uk/2005/07/25/spyware_screening/




Also:

<snip>

Around October 2004, many mainstream web servers, including major advertising networks, were hacked by a CoolWebSearch affiliate (apparently using security holes in old versions of PHP and/or OpenSSL via Apache). Visitors to these sites were served with exploits that installed CoolWebSearch variants along with other parasites such as BargainBuddy/BullsEye and /Cashback, BookedSpace, HuntBar/WinTools, FavoriteMan/ATPartners, Look2Me/V3, InternetOptimizer, ISTbar/XXXToolbar, /SideFind, /ActiveX and /YSB, nCase, NeoToolbar, PowerScan, SaveNow/VVSN, SearchMiracle, TIBS (dialler), TopConverting, TopMoxie/WebRebates, WildMedia/WMService and WindUpdates/WinAdTools. Previous CoolWebSearch exploits had also installed some of these, as well as Tubby and OnlineDialer/Ole, zombie botnet clients and even internet banking password-stealing trojans.

Other parasites related to CoolWebSearch and often considered part of the same family include Winshow, SuperSpider, SCAgent, SRE and FreshBar.

More:
http://www.doxdesk.com/parasite/CoolWebSearch.html

You could also visit his website at:
http://www.JassStewart.com

I'll let you know when it's posted.

DU Activist Headquarters
Why you should ask DFA to endorse Jass Stewart for Mayor of Brockton http://www.democraticunderground.com/discuss/duboard.php?az=show_mesg&forum=106&topic_id=20868&mesg_id=20868

eom

FCC Issues Rule Allowing FBI to Dictate Wiretap-Friendly Design for Internet Services
http://www.democraticunderground.com/discuss/duboard.php?az=view_all&address=104x4278833

Little-known no longer, I suspect. For those not familiar with the shenanigans of the IT security industry, you should take things like this with a grain of salt. Security companies have a vested interest in hyping security threats.

This one does sound somewhat legit, but I'll wait and see.

It took a few iterations of hijackthis (a hijack exterminator) and other spyware killers to get rid of it.

I used many different versions of spy-ware detection and removal programs to no avail. I had to do some investigating into the problem... some of the time Google was not available for use because of my browser being hijacked, but fortunately I know just a little more than the average user (but much less than an IT professional) and I was able to figure out a way to restore my browser long enough to research the problem and delete the offending files manually. The following programs were useful in allowing me to regain control of my computer: HiJackThis, StartDrek, Spybot, Ad-aware. No single program was able to cure the problem, but using them in concert allowed me to get the job done. It was a daunting task that required much patience, a little knowledge, and some google research.

Though I could go into detail about the problem it would not help much as CWS, and other spyware have so many versions each requiring individual solutions. Some are simple others more complex. New spyware is being created almost on a daily basis. But I will recommend the the following:

1. First and foremost - Stay out of the back alleys of the internet. Beware of anything FREE. There is no such thing as a free lunch. Free programs, pictures, music, etc. these are the lures to bring marks to a site. Avoid these areas like the plague. It is still possible to stumble on these places accidentally, but you still shouldn't go looking for trouble.

2. Take an interest in your computer's start up programs. These are the things running in the background supporting functions on your computer. If you see something new or suspicious - research it. You can find out whether that program is necessary, harmless, or a spy-ware component with a simple google search.

3. Do not be afraid of the program registry. If you develop a problem YOU WILL have to go into the registry to make changes. Learn about it, and don't be afraid to make necessary changes that are based on research of your particular problem.

4. This tip is as old as the computer itself. Backup, backup, backup! Always make backups of your most important files! If your computer is hopelessly beyond fixing (which is rare in my experience,) or you become too frustrated and decide to start from scratch - reformat and reinstall (which I have considered doing at some points,) you will be glad you had backups outside the hard-drive.

Like I said, I'm no expert and others on this board may know more about this than I do. But using the above tips I solved my problem without spending a dime on professional help.

Good luck and stay safe!