NOW READ THIS
("Security Advisory")
| Go Back |
Submitted by: Bill Hickey
NCVA List Master
NRT-0285 Infected Job-Search Sites Harvest Personal Data:
A security researcher at SecureWorks uncovered a "huge" cache of financial and personal data stolen from about 46,000 individuals by a variant of the Prg Trojan. The stolen data included bank and credit card account information and Social Security numbers as well as usernames and passwords for online accounts. Many of the victims were infected and re-infected as they visited several leading online job-search sites, including the popular Monster.com. Don Jackson of SecureWorks said he found the data on a server - one of 20 similar servers worldwide - that are collecting and storing data stolen by Prg. Twelve of those servers - including the one Jackson found - are being managed by a single hacking group known for naming their attacks after car manufacturers such as Bugatti, Ford, and Mercedes, Jackson said.
Prg which was first seen in the wild in June, appears to be a variant of a Trojan known as wnspoem, discovered last October. Like the earlier model, Prg is designed to sniff sensitive data from Windows internal memory buffers before the data is encrypted, which means that the malware can circumvent SSL security measures. A user clicking on a malicious ad that has been implanted on a legitimate job-search site is taken to an exploit page that "fingerprints" the user's browser and then serves up from one to four exploits designed to infect the user's system with the Trojan. From that point on, all information the user enters into the browser is captured and sent off to the hacking group's servers, Jackson said.
A new variant of the Trojan appears every five days to a week, making it difficult for anti-virus tools to keep up, said Jackson, so infections are going undetected for several weeks in many cases.
(www.computerworld.com 17AUG07)