Identity theft ring affects at least 50 banks

Customers from Bank of America, PayPal and other financial institutions have had their financial details stolen by a dangerous new Trojan

A major identity theft ring discovered last week has affected the customers of at least 50 banks, according to Sunbelt Software, the security firm that uncovered the operation.

The operation, which is thought to be under investigation by the FBI and Secret Service, is currently gathering personal data from compromised machines and sending them to a server where they are saved in a file.

Sunbelt Software said on Monday that in the two days it has been monitoring the file it has seen confidential financial details of the customers of the Bank of America, PayPal and up to 50 international banks, according to Eric Sites, the vice-president of research and development at Sunbelt.

"For almost every bank that is listed [in the file], it's possible to get into the person's account," Sites said.

As well as passwords for online banking sites, information on credit cards has also been gathered. Sites said that Sunbelt had found one customer's credit card number, expiry date and security code as well as their name and address, which would allow anyone to use their credit card.

The data theft was initially reported to be carried out by a modified variant of a spyware application, called CoolWebSearch (CWS), but Sunbelt has now found that the activities are carried out by a separate Trojan, which is downloaded at the same time as CWS and a mail zombie.

The malicious code is hosted on a Web site that mainly hosts pornography, which Sites was unwilling to name. Users of Windows XP that have not installed SP2 are particularly vulnerable as the code will be automatically downloaded without the user's knowledge. Sunbelt is currently investigating whether users of earlier Windows versions, such as Windows 2000 and Windows ME, are also vulnerable.

"If you have an unpatched Windows machine, when you go to the URL it will automatically download everything from Web site, including the Trojan. All you have to do is type in the URL and you're hosed," said Sites.

The Trojan is a new variant, so antivirus and anti-spyware vendors do not yet block it, according to Sites. Sunbelt plans to send information on the Trojan to security firms as soon as possible.

The Trojan carries out keylogging, and also gathers information stored by Internet Explorer's auto-complete function. This data includes any information that has been typed into forms, including usernames and passwords.

Two variants of the data-stealing Trojan have been found, one of which sends data to a publicly available server, which is being monitored by both Sunbelt and the Secret Service, according to Sites. He claimed this server will not be shut down straight away so that the FBI and Secret Service can track down the perpetrators.

Sunbelt believes the operation has only been going on for a couple of weeks and has affected a "couple of thousand machines", according to Sites.

An FBI spokesperson was unable to confirm whether or not an investigation was taking place.