Massive spyware-based identity theft ring involving CoolWebSearch

On edit: Other sources seem to be picking up this story. Additional citatations at bottom of post.


Massive spyware-based identity theft ring uncovered

8/5/2005 11:13:24 PM, by Clint Ecker

Researchers from a little-known security software company named Sunbelt Software have seemingly uncovered a criminal identity theft ring of massive proportions. According to one of their employees, Alex Eckelberry, during the course of one of their recent investigations into a particular Spyware application—rumored to be called CoolWebSearch—they've discovered that the personal information of those "infected" was being captured and uploaded to a server.

One can only speculate about why someone would do such a thing; the amount of data that could be gathered would almost certainly be daunting for even a few people to sift through and exploit. On the other hand, the researchers at Sunbelt have personally uncovered the personal information of two individuals who, combined, could be taken for well over US$350,000.

The list of stolen information includes not only bank accounts but website passwords, eBay accounts, what sort of adult images you fancy, and, supposedly, even more. The researchers initially had tried in vain to get a hold of someone who could take action on this issue but didn't get a response right away:

We have notified the FBI, but of course no response (too busy doing other more important things). We have notified a few of the parties involved...If anyone has any other ideas, send 'em to us. Right now, we're sitting upon literally thousands of pages of stolen identities that are being used right now.

Good news came today, though, that the FBI had responded and are currently working the case. We've emailed Alex and tried to see if we could get any more details about the whole thing out of him, but at the time of publication, we had not received a response. Hopefully the people who've perpetrated this massive-scale theft of personal data can be quickly caught and brought to justice due to the quick actions of Alex Eckelberry and the researcher who discovered the crime, Patrick Jordan.

More:
http://arstechnica.com/news.ars/post/20050805-5175.html



See also:

Sorted by relevance Sort by date

Because CoolWebSearch Wasn't Sleazy Enough...
BroadbandReports.com, NY - Aug 5, 2005
Anti-Spyware firm Sunbelt Software "stumbled upon" a massive ID theft ring that had been using a CoolWebSearch variant to dump personal info gleaned from
http://www.broadbandreports.com/shownews/66178

Anti-spyware firm warns of massive ID theft ring
NetworkWorld.com, MA - Aug 5, 2005
... research Sunbelt was doing on a spyware program belonging to a particularly dangerous class of browser hijacking tools called CoolWebSearch (CWS), according to ...
http://www.networkworld.com/news/2005/080505-id-theft.html

Spyware 'calling home' volumes soar
Register, UK - Jul 25, 2005
... The firm said malware such as CoolWebSearch, which hides on an infected client using newly developed root-kit architecture, often evades detection
http://www.theregister.co.uk/2005/07/25/spyware_screening/



<snip>

Around October 2004, many mainstream web servers, including major advertising networks, were hacked by a CoolWebSearch affiliate (apparently using security holes in old versions of PHP and/or OpenSSL via Apache). Visitors to these sites were served with exploits that installed CoolWebSearch variants along with other parasites such as BargainBuddy/BullsEye and /Cashback, BookedSpace, HuntBar/WinTools, FavoriteMan/ATPartners, Look2Me/V3, InternetOptimizer, ISTbar/XXXToolbar, /SideFind, /ActiveX and /YSB, nCase, NeoToolbar, PowerScan, SaveNow/VVSN, SearchMiracle, TIBS (dialler), TopConverting, TopMoxie/WebRebates, WildMedia/WMService and WindUpdates/WinAdTools. Previous CoolWebSearch exploits had also installed some of these, as well as Tubby and OnlineDialer/Ole, zombie botnet clients and even internet banking password-stealing trojans.

Other parasites related to CoolWebSearch and often considered part of the same family include Winshow, SuperSpider, SCAgent, SRE and FreshBar.

http://www.doxdesk.com/parasite/CoolWebSearch.html

More:
http://www.doxdesk.com/parasite/CoolWebSearch.html

so how do you detect and rid yourself of these demons?

it's a free download and takes only seconds to run.

like AdAware to get rid of them... Doesn't suprise me in the least to hear this.

and I swear it was loaded on my Logitech mouse software.

mine came with that crap as well... but it was a few years ago, it's long ago been cleaned out. I do recall some persistant garbage that came with the logitech mouse, it may very well have been coolweb.

an option to click "Do you want an E-Bay Tool Bar?" as part of the setup. It came with a dot already in the radio button. I unclicked it and never have had any trouble. Watch out for stuff like this when you install any software.

is a killer anti-spy app. Highly recommended by PC World recently. I tried it and Counterspy found a couple things that neither Spybot, Adaware, or Spy Sweeper found. It's cheaper than Spy Sweeper too:

http://www.sunbelt-software.com/

I had my browser hijacked once upon an insecure time, and have been a bit fanatical about running anti-spy apps ever since...thus the multiple sweepers.