The U.K. Metropolitan Police has revealed that cybercriminals used a particularly malicious piece of malware called the Haxdoor Trojan to steal data from thousands of U.K. users.
Over 2,300 people have been infected with a variant of Haxdoor, which installs a backdoor, keylogger and rootkit on infected machines, to harvest private information undetected.
As first reported by ZDNet UK on Tuesday, this personal information has been found on a server in the United States. The Met said on Wednesday that it is involved in a joint operation with the FBI.
"It's a diverse range of data that's been stolen," said detective chief inspector Charlie McMurdie, the officer in charge of the investigation. "Primarily passwords and details of financial transactions, but not purely banking data."
McMurdie told ZDNet UK that it was too early to say whether it was an individual or a group that was responsible for stealing the data, but said that most offences of this kind were perpetrated by organized criminal gangs.
"We're working in a global arena with other law enforcement agencies, but that doesn't necessarily mean the suspects are outside the U.K.," said McMurdie. "We're currently working with the FBI, as the data was being stored on the server in the U.S."
The Met is having difficulty contacting users they believe may be infected. They sent out an unsolicited e-mail to alert potential victims, but most of them are ignoring the e-mail.
"We've had a limited response [from the e-mail messages]," said McMurdie. "It's a recurring problem--when we take on an investigation, the main method of contacting thousands of victims is via e-mail. Everybody's suspicious--they believe it's a scam."
The Met is seeking to reassure people that the e-mail they sent out is genuine. The e-mail contains contact details for officers involved in the operation. The Met will not ask for data or banking details, and security validation is already contained in the e-mail. If people are in doubt, they should telephone the New Scotland Yard switchboard, or contact their local police force.
Machines infected with Haxdoor will still be transmitting information, but no longer to the criminals responsible. The data that was transmitted to the U.S. server has been recovered, and the server taken offline. The Met would not comment on what was now happening to the data being transmitted currently, and whether its continued transmission was being used in the operation.
"We've notified the U.S. authorities [about the transmission] and taken appropriate investigative steps, coupled with risk assessment," said an officer involved in the investigation.
The Met declined to say which variant of the Trojan has infected the U.K. users, but according to antivirus company F-Secure it is Haxdoor.AL, which is normally propagated through infected e-mail attachments.
"It's a nasty case," said Mikko Hypponen, director of antivirus research at F-Secure.
Once the Trojan is installed, it hides itself using a rootkit, making it difficult to detect. A keylogger makes a record of all keystrokes, and that data is then sent to a central server.
"Anything you type gets archived," Hypponen told ZDNet UK. "Bank pin codes, passwords, search terms. Then the guys who collect the data sift the huge logs." The data is then sold on the black market, according to Hypponen.
Passwords and log-in information are specifically collected by prioritizing data strings containing certain keywords, such as the names of banks.
The Met declined to comment on which banks' and ISPs' customers had been affected by the Haxdoor variant under investigation. However, one variant intercepted by F-Secure contained references to HSBC, Halifax Building Society, and Barclays.
The Haxdoor Trojan is sold as a commercial product by a Russian hacker who calls himself "Corpse", according to F-Secure. Haxdoor toolkits retail for approximately US$2,000 on the black market, and can be used by people to build their own Haxdoor variants.
As this product is available so easily, the Haxdoor may have more victims than those in the United Kingdom, according to F-Secure.
"The total count could be much higher," said Hypponen. "Other people have bought licences for Haxdoor toolkits--this is just one case among hundreds. There was a large amount of [Haxdoor] spam sent to German people last month, disguised as bills. The hackers' imagination is the only limit using the tool transmission method."