Stolen-data trove offers insights on botnets


Massive "botnet" networks — armies of infected computers formed by spreading a computer virus that orders compromised machines to phone home for further instructions, such as sending out spam or relaying passwords — are sucking up personal data from millions of people at an alarming rate, and school and college networks are common targets of these attacks. A recent find by security researchers offers a glimpse at the damage done by one of these botnets and how hard it can be to shut them down.

Getting hacked is like having your computer turn traitor on you, spying on everything you do, and shipping your secrets to identity thieves.

Victims don’t see where their stolen data end up. But sometimes security researchers do, stumbling across stolen-data troves that offer a glimpse of what identity theft looks like from the criminals’ perspective.

Researchers from U.K.-based security firm Prevx found one such trove, a web site used as a stash house for data from 160,000 infected computers before it was shut down this month.

The find offers a case study on just how much data criminals are stealing every day, from the utterly inconsequential to the alarmingly private.

It also shows the difficulty in closing off criminals’ ID-theft beachheads: The web site that Prevx found, which was operating on a server in Ukraine, was still online for nearly a month after security researchers alerted the internet service provider and law-enforcement authorities. The site was sucking up data from 5,000 newly infected computers each day.

The victims in the Prevx find are mostly everyday people handing over their passwords for Facebook and banking sites, along with their love notes and other eMails. But more dangerous personal information is there, too, including Social Security numbers and other account information from one bank’s infected computer.

Caches of stolen data like these are hidden throughout the internet, usually locked away inside password-protected web sites or heavily fortified servers. Prevx’s researchers were able to infiltrate this site because it was protected with poor encryption.

In that sense, the find illustrates how even sloppy crooks can vacuum up enormous amounts of information through massive botnets. The botnet Prevx found was only harvesting data, though Prevx said it could have been upgraded to do other things, too.

It’s unclear from an Associated Press (AP) investigation of the data trove whether any of the infected machines were from a school or university network. But college students were among those whose data were harvested, and the way one student reacted when he learned of the breach offers lessons in how such a breach should be handled.

Ordinary internet sessions are logged in great detail. One Southern California 22-year-old could be seen registering a domain name with, changing his Yahoo eMail password, and ordering a meal online from Pizza Hut. His credit card number, birth date, telephone number, address, and passwords are now all in criminals’ hands–though it’s unclear what, if anything, criminals have done with the information yet.

Some victims are gold mines for sensitive data. An infected computer at a Georgia bank exposed customer details and credentials for the bank’s wire-transfer system. Bank employees were checking eMail, looking up information on BMWs and Infinitis, and working with customers’ accounts on the same infected machine.

Government computers also were hit, including one in Texas that coughed up web site logins for one of the government’s health care providers, and another in North Carolina that revealed access to an agency’s human resources system.

"This is giving criminals the keys to the castle," said Prevx’s director of malware research, Jacques Erasmus. "Once they’re into this system, it might not seem at this point like it’s the biggest data heist ever, but this is how they get into a network. This is their game–they do this every day."

In other words, criminals start small, then use their first point of attack as a way to jump onto more sensitive computers.

Researchers who discover these stolen-data caches then have to figure out what to do with them. Notifying victims is time-consuming and difficult, and researchers tend to focus on trying to get service providers to deactivate the servers before criminals get to the data on them.

Prevx said it alerted the site’s internet provider, the FBI, and U.K. authorities about the breach it discovered. The company also talked to the affected bank, Doraville, Ga.-based Metro City Bank, a community bank whose web site lists four locations, and Prevx said the bank has removed the infected computer.

One customer–Yoon-Kee Hong, a 22-year-old college student from Suwanee, Ga.–had signed up for an account with Metro City Bank just a month before learning about the breach. He said he had not been alerted by the bank that his Social Security number and other personal details were stolen.

After being told about the breach by the AP, which picked his name from the files provided by Prevx, the student said he planned to cancel his account.

"I cannot trust them any more," he said. "They’re not doing what they’re supposed to do. They didn’t even notify me. It’s like they’re trying to hide it from their customers."

He later relented and decided to stay with the bank after he was offered a new account and promises of fraud alerts.

The bank said in a statement that it is notifying customers and is investigating the breach, refusing to comment further. State officials in North Carolina and Texas didn’t return calls on the breaches there. The FBI also didn’t return a call about the breaches.

Such finds are becoming more common as the barrier lowers for crooks to jump into the online identity-theft racket. Top-of-the-line viruses, also known as Trojans, can be had for under $1,000.

Joe Stewart, a SecureWorks Inc. botnet expert who was not involved in Prevx’s research, said that last year, he helped shut down a command-and-control server for a huge botnet that had infected more than 378,000 machines and had stolen more than 460,000 usernames and passwords.

There are countless other smaller botnets, set up by less sophisticated criminals who steal as much data as they can and simply pull up stakes, and do it all over again, once their operation has been detected.

"The level of amateurness speaks to how widespread it is," Stewart said. "Literally anybody with a little bit of computer knowledge at all, if they have the criminal bent, can get access to one of these Trojans and get it out there and start stealing people’s data."

How to tell if a computer is infected … and what to do about it

Computer-virus infections don’t cause machines to crash anymore. Nowadays, the criminals behind the infections usually want your computers operating in top form so you don’t know something’s wrong. That way, they can log your keystrokes and steal any passwords or credit-card numbers you enter at web sites, or they can link your infected computer with others to send out spam.

Here are some signs your computer is infected, tapped to serve as part of botnet armies run by criminals:

• You experience new, prolonged slowdowns. This can be a sign that a malicious program is running in the background.

• You continually get pop-up ads that you can’t make go away. This is a sure sign you have "adware," and possibly more, on your machine.

• You’re being directed to sites you didn’t intend to visit, or your search results are coming back funky. This is another sign that hackers have gotten to your machine.

So what do you do?

• Having anti-virus software is hugely helpful. For one, it can identify known malicious programs and disable them. If the virus that has infected your machine isn’t detected, many anti-virus vendors offer a service in which they can remotely take over your computer and delete the malware for a fee.

• Some anti-virus vendors also offer free, online virus-scanning services.

• You might have to reinstall your operating system if your computer is still experiencing problems. It’s a good idea even if you believe you’ve cleaned up the mess, because malware can still be hidden on your machine. You’ll need to back up your files before you do this.

How can you know what information has been taken?

• It’s very hard to tell what’s been taken. Not every infection steals your data. Some just serve unwanted ads. Others poison your search results or steer you to web sites you don’t want to see. Still others log your every keystroke. The anti-virus vendors have extensive databases about what the known infections do and don’t do. Comparing the results from your virus scans to those entries will give you a good idea about what criminals might have snatched up.


Prevx blog 

SecureWorks Inc.


Up to $4.5 million to fund pre-school reading programs

The program, sponsored by the U.S. Department of Education, supports local efforts to enhance the oral language, cognitive, and early reading skills of preschool-aged children, especially those from low-income families, through strategies, materials, and professional development that are grounded in scientifically based reading research.


$200 for STEM teachers

K-12 teachers who develop or apply science, mathematics, and technology in their curriculum are invited to apply for a grant of up to $200 per request to supplement their learning programs. Each school is limited to up to $1,000 per calendar year. Teachers must be an AIAA Educator Associate member or an AIAA Professional member.


$2,500 to purchase products from the Education Resource catalog

Schools are being offered a $2,500 Education Resource voucher to two schools that are are best at implementing technology for the advancement of student learning. Applicants are asked to do is submit an essay detailing the technology used, how it is utilized, and how it impacted student achievement.


Up to $2,000 for high school students

Thacher Scholars Awards are given to secondary school students that demonstrate the best use of geospatial technologies or data to study Earth. Eligible geospatial tools and data include satellite remote sensing, aerial photography, geographic information systems (GIS), and Global Positioning System (GPS). The main focus of the project must be on the application of the geospatial tools or data to study a problem related to Earth’s environment.


More than $25,000-worth of Orchard software and a Lenovo ThinkCentre

Lenovo and Orchard Software are calling on students between ages 8 and 18 to enter their Listen to a Life essay contest. To enter, students must interview a person who is over age 50 — and is not their parent — about their hopes and goals through their life, how they achieved goals and overcame obstacles, or how dreams may have changed along the way. Then the companies are asking the students to write a 300-word essay based on the interview. The winner will receive a Lenovo ThinkCenter computer with $800 worth of Orchard software and an iPod Classic. Their school will also win $25,000 worth of Orchard software.


Hackers transfer $200,000 out of school’s bank account

Officials with the Carl Junction R-1 School District in Missouri say computer hackers apparently were able to transfer nearly $200,000 out of the district’s bank account, reports the Joplin Globe. Authorities as of earlier this week had managed to recover $80,000 of the amount stolen, and school officials say they are confident that the district’s insurance will cover any money that is not retrieved. Superintendent Phil Cook said a virus struck the district’s computer system on Feb. 26, and the district later learned that a portion of that virus allowed someone to access the district’s bank account. Cook said about $200,000 was transferred from the district’s account to a number of banks nationwide in increments of about $8,000. He said the virus that hit the district’s system contained a "key logger" that allowed the hackers to recognize computer keystrokes. "They were then able to recognize when people signed on to our system and their passwords, and they were specifically looking for people signing in to our bank account," Cook said. The virus was not detected by any of the numerous antivirus programs the school district employs, he added…

Click here for the full story


School shooting internet post was likely a fake

German police say they’ve made great strides toward developing a profile of the gunman in the March 11 school shooting spree that killed 15 people, but one key piece of evidence — a posting in an internet chat room — has turned out to be fake, the German newsmagazine Der Spiegel reports. Just hours after Baden-Württemberg Interior Minister Heribert Rech announced the existence of the web post, Stuttgart prosecutors said that "in the course of the afternoon, doubts arose about the authenticity of the internet chat." Later, a police spokesman said investigators had not, in fact, found any traces that the perpetrator of the shootings had been responsible for the posting. "Some crazy must have put this false message into the world," Rech told a local newspaper late on March 12. Despite the mistake, however, German officials are still taking internet postings seriously. An overnight chat-room posting was found threatening violence at a school in the town of Ilsfeld in southwestern Germany. The school was cordoned off March 13, and officials are searching the premises…

Click here for the full story