The computer spy that steals your passwords and credit details

The Russian website that posted Lambert’s details, www.carder.info, is one of a network of sites which trade in stolen identities. Thousands of passwords for e-mail accounts, security numbers for credit cards and access codes for shopping websites are offered for sale online after being “harvested” from trojan software.

In a four-week investigation a Sunday Times reporter approached users on Russian websites who were offering stolen identities for sale. The site includes a step-by-step guide to stealing identities and using the information without detection.

The reporter was offered stolen data on British citizens ranging in price from $2 to $5 per person. She requested a free sample and at 11.50pm on August 23 the details of more than 30 individuals were posted online, 13 of whom were British.

Max Haffenden, 27, an IT worker from Bexhill-on-Sea in East Sussex, was among those on the list and he confirmed last week that The Sunday Times had obtained his secret password from the Russian website. He uses the password — which has now been cancelled — for his personal Yahoo! e-mail account, payment transfers using PayPal and online shopping accounts.

“I am amazed someone could have got access to these details,” he said. “I have a good idea of how computers work and how to be as secure as possible. I only trust a site with my details if it has a ‘padlock’ to show it is a secure server.”

Haffenden, who used a computer firewall and anti-virus software, said his computer’s systems alerted him to malicious software, which he said might have been a trojan, about a year ago. He was unable to fix the problem but said it did not affect the performance of his computer.

Others on the list said there had been no apparent problems with their machines. Nick Riches, 40, from Basingstoke in Hampshire, who also works in the computer industry, was among those targeted. He confirmed his “standard secure password” had been obtained by the Russian website, along with his Hotmail access, his home address and details of a NatWest card. He said he regularly scanned his computer for viruses but had not been aware of any malicious software.

There was evidence last week that the fraudsters had already used some of the personal data to steal money. Cards belonging to Haffenden and Riches had been used without their permission on an internet gambling site, Unibet, in the past month with payments of £400 and £512.50.

Stolen data offered on foreign websites is usually obtained from hacking into the database of an online company to obtain customers’ details or from infiltrating a personal computer.

While nearly all computer users are alert to the threat from viruses, many are unaware of trojans, which can covertly install themselves via a website or e-mail attachment.

Carole Theriault, senior security consultant at Sophos, an internet security company, said: “Viruses basically had bells and whistles to say ‘we’ve got you’ and spread rapidly around the internet. Trojans are very different. They don’t spread on their own and may not even affect the performance of your computer, but when you go on sites like eBay or check your account online, they can record the keys you press.

“About 70% of the reports of new threats of malicious software are trojans. The people who send them out don’t hit so many computers because they don’t want to make the headlines.”

Theriault said that a firewall and regularly updated anti-virus software would help reduce the threat from trojans, but there was no 100% solution. “It’s like driving a car,” she said. “There’s always a risk. You just have to do everything you can to reduce it.”

One of the problems is that some trojans are not always identified by anti-virus software. One trojan, called A311 Death or Haxdoor, has infected an estimated 35,000 computers worldwide, including 10,000 in Australia.

A warning from the Australian Computer Emergency Response Team stated: “If your computer is already compromised with an input/output monitoring trojan, SSL (encryption) cannot prevent the trojan from capturing web form data, keystrokes, and passwords.”

()

In the UK many people are unaware of the threat. An official Home Office leaflet providing advice on identity theft does not even mention the importance of computer security. The government does, however, support a website, Get Safe Online, which provides information on protecting a home computer.

Despite the warnings and security software available, obtaining personal data stolen from British computers is easy. It is also cheap, with passwords being traded online for as little as £1.

Using an internet Cyrillic keyboard to enter the word “carding” on the Google search engine, a Russian-speaking Sunday Times reporter was presented with an array of sites offering stolen data and bogus identity documents.

One website — called carders0.tripod.com — had a virtual shopping basket of identity fraud, with “buy now” icons next to every item. The products on sale included credit cards — both fake and real — driving licences, travellers’ cheques, fake passports and machines to make credit cards. The site included starter packs for fledgling fraudsters as well.

The same site also offered a service called Rebirth in which visitors were offered the chance to “buy a whole new identity from Britain or Ireland”. Costing £13,000, the package offered a new passport and a birth certificate. The Sunday Times was unable to confirm whether genuine documents would be exchanged for an online payment.

At the lower end of the scale, a range of websites offered stolen data that could be used to access subscription services, pay for goods online or transfer funds. Some of the data are even posted for free as samples to interested buyers. After using the data, one user of www.carder.info commented on the website: “Thanks, found some valid stuff. Put up more.”

The batch of stolen data provided to the reporter included passwords for e-mail accounts, credit card numbers and home telephone numbers of people in Bishop’s Stortford in Hertfordshire, Spalding in Lincolnshire, Blackpool, Hartlepool and Glasgow.

A week after the reporter was given the sample, she was able to retrieve the passwords for the PayPal accounts of 19 Britons from the site. The information would enable fraudsters to gain access to accounts and transfer funds.

The www.carder.info site is registered to 340 Pushkinskaya in Moscow. The house number does not exist. The Russian-based company that hosts the site, Net of National Telecommunications, would not comment last week, but is understood to be in contact with police about any suspected illegal transactions.

Lennart Ehlinger, group security controller for the London-based Unibet, said it was difficult to detect fraudulent use of credit cards if the fraudster was able to provide a security code, number and home address.

A spokesman for Apacs, the UK payments association, said hackers who stole personal information often evaded detection by using a network of foreign websites.

A spokesman for PayPal said its servers were secure, but information on passwords was sometimes compromised by trojan software and “phishing”, which uses spoof websites to obtain user information.

Additional reporting: Mark Franchetti in Moscow

HOW TO STAY SAFE ONLINE

The risks can never be wholly eliminated, but experts recommend: