Warning to all: Monsters are roaming all over the Internet and looking for unsuspecting victims whose identity they steal.
Security researchers recently unearthed the single largest cache of stolen identities, thanks in part to a Trojan stealing the data that has been hidden in a fraudulent advertisement on online job sites like Monster.com. (Well, at least the despicable creatures behind this website don’t hide their true nature).
Don Jackson, a researcher with the security company SecureWorks, told InformationWeek that he found 12 data caches connected to one group using the latest variance of the Prg Trojan, which is also known as Ntos, Tcp Trojan, Zeus, Infostealer.Monstres and Banker.aam. Several of the 12 found caches contain information on about 4,000 to 6,000 identity theft victims, but one contains about 10,000 and the largest one contains 46,000.
He estimates that between the 12 caches, there probably is information on about 100,000 stolen identities.
Jackson calls the identity theft organization behind the caches the “car group” because they’ve named each of the servers storing the information for a different auto manufacturer, like Ford, Mercedes, Chrysler, and French carmaker Bugatti.
The data, which includes bank and credit card account information, Social Security numbers, online payment account usernames and passwords, comes from victims who were all individually infected with the Trojan beginning in early May this year.
He said the latest variant of the Prg Trojan has been running on fraudulent ads on at least two online job sites. One, he said, is Monster.com.
“The hackers behind this scam are running ads on job sites and are injecting those ads with the Trojan,” said Jackson. “When a user views or clicks on one of the malicious ads, their PC is getting infected and all the information they are entering into their browser, including financial information being entered before it reaches the SSL-protected sites, is being captured and sent off to the hacker’s server in Asia Pacific.”
Jackson said one server is still collecting stolen data and they are seeing 9,000 to 10,000 victims sending information to the server at any one time. When someone clicks on the advertisement, they’re taken to a malicious Web page where their computer is infected with the Prg Trojan.
The Trojan is designed to exploit several different software flaws, including vulnerabilities — all of which have been patched by the vendors — in Microsoft’s Internet Explorer browser, WinZip and Apple’s QuickTime.
Now, here’s a way to find out if your computer has been raided by the Monsters:
If you’ve posted your data or resume to Monster.com, watch out for a well-crafted e-mail that purports to come from the site and offers a link to a downloadable “Monster Job Seeker Tool.” The download is actually one or more pieces of malware that attempts to steal your financial data or even encrypt your important documents and hold them for ransom.
According to Symantec’s analysis of the attack, the e-mails look entirely real, and may use the intended victim’s real name and other personal information.
The attackers get that personal info with a multi-pronged attack that starts with a Trojan called Infostealer.Monstres. Monstres steals personal information about Monster.com users from the section of the site used by recruiters to find job seekers. That can include a searcher’s name, e-mail address, home address and other data.
The crooks use that stolen info to then send the personalized attack e-mail. If you click the contained link, you could be infected by one of two pieces of malware (so far). One, which Symantec labels Infostealer.banker.c, attempts to steal online financial account logins. The other, Trojan.gpcoder.e, will encrypt a range of documents on a victim PC and then demand a ransom payment for the decryption password.
If you’ve received one of these e-mails and think you might be infected, here’s a test that could turn up malware your antivirus program may have missed. Gpcoder creates a backdoor that allows attackers to connect to infected machines, and you can detect the backdoor like this (on Windows XP):
1. Click Start | Run
2. Enter ‘cmd’ to bring up a command prompt.
3. Type “telnet localhost 6081” and hit Enter.
According to Don Jackson at Secureworks, who says the possibly related Prg Trojan uses the same port 6081 as a backdoor, a non-infected computer will respond with a message like “Could not open connection to the host, on port 6081: Connect failed.” That means nothing is listening on that port – or backdoor.
But if you don’t see that error message, and it just sits there after you type the telnet command, it means something is listening and waiting for input.
The next thing to do then is to activate your anti-virus program and get rid of the monsters.