Officials at Sunbelt Software, a vendor of anti-spyware tools, say the company has stumbled upon a massive ID theft ring that is using a well-known spyware program to break into and systematically steal confidential information from an unknown number of computers worldwide.
The operation was discovered last week during research Sunbelt was doing on a spyware program belonging to a particularly dangerous class of browser hijacking tools called CoolWebSearch (CWS).
CWS programs are extremely hard to detect and remove, and are used to redirect users to websites that use spyware tools to collect a variety of information from infected computers.
The CWS variant being researched by Sunbelt turned infected systems into spam zombies and uploaded a wide variety of personal information to a remote server apparently located in the US. That server holds a "treasure trove of information" for ID thieves, according to Sunbelt.
Sunbelt's research showed that the information being uploaded to the remote server included chat sessions, user names, passwords and bank information. The bank information included details on a company bank account with more than $350,000 in deposits and another belonging to a small California company with over $11,000 in readily accessible cash.
Many of the records being uploaded also contained EBay account information. Among the highly personal bits of information Sunbelt was able to retrieve from the server were one family's vacation plans, instructions to a limo driver to pick up passengers from an airport and details about a computer user with a penchant for paedophilia.
Sunbelt officials did not say how they accessed the material. But the existence of a large file that the company said it retrieved from the remote server was confirmed by Computerworld. Sunbelt says the file contained user names, addresses, account information, phone numbers, chat session logs, monthly car payment information and salary data.
"It's one of the most egregious things we have ever seen," said Sunbelt spokesperson. "We know this kind of data is out there, but this is the first time we actually have the data that the criminals are using."
Information gathered from infected computers is uploaded to the remote server and stored in highly organised files that appear to be accessed by multiple ID thieves. The files grow to anywhere from 10MB to 20MB in size before they are refreshed with new information.
Sunbelt's discovery brings home the seriousness and scope of the growing ID theft problem, says Pete Lindstrom, an analyst at Spire Security in Malvern, Pennsylvania.
"I think this stuff is much more significant than the notification of [compromises] by credit card companies," Lindstrom says. That's because the credit card industry as a whole has better controls in place to detect and prevent abuses resulting from such compromises than individuals, he says.
"This stuff hits home because it's personal. It's like taking something out of your home," Lindstrom says. "Each and every one of these accounts can be compromised, and it hurts someone."