Member Panel

Get a good grip on your chair because this story might knock you right out of it. I've just finished picking myself up off the floor after reading about this.

While investigating a new mutation of the CoolWebSearch trojan, a Sunbelt researcher was astounded to discover that it was being used for identity theft. All manner of personal information is being uploaded to a publicly-viewable web server, including eBay passwords, Paypal passwords and passwords for bank accounts worth hundreds of thousands of dollars. Anyone who knows this web server's IP address can view all of this information!

After initially rebuffing Sunbelt when they first made contact, the FBI now is said to be investigating the matter. Sunbelt also has tried contacting some of the victims of this identity theft.

CoolWebSearch is a particularly nasty browser hijacker with countless variations. They have hundreds, possibly thousands, of affiliated web sites who all feed traffic into coolwebsearch.com. Many of those affiliates use exploits for various flaws in Windows and Internet Explorer to install browser hijackers.

The motivation behind all of this, of course, is money. Coolwebsearch.com is nothing more than a collection of paid listings. If someone clicks the links on their web site, they are paid a small commission from the owner of the site being linked. In turn, CoolWebSearch pays their affiliates to drive traffic to their site.

They almost always have used unethical and possibly illegal methods to install this hijacking software. This is the first time, to my recollection, that they or one of their affiliates have done something so blatantly illegal. I have been practically begging the FTC to investigate CWS for well over a year. Although I am saddened that so many people have been victimized by this crime, I am glad that CoolWebSearch finally will be investigated for their activities.

Financial Passwords and Credit Card Numbers Stolen From Thousands of Machines

There is more information about the identity theft operation I reported late Saturday.
================================================== ==========================================

Patrick Jordan, a researcher for Sunbelt, maker of Counterspy antispyware, made the discovery while investigating a new variant of the CoolWebSearch browser hijacker. After this variant was running on his test machine, Jordan discovered that it had downloaded and installed surveillance spyware.

This as-yet-unidentified spyware logs instant message and other chat activity, the web addresses visited by the victim, user names and passwords the victim uses to log into various web sites, as well as information filled out on web site forms. The spyware also accesses Microsoft's Internet Explorer "Protected Storage", which is where Internet Explorer stores information and passwords entered into web forms.

Once this information has been collected, it is transmitted to a remote web server over the internet. Once transmitted to the server, the information is dumped into an unencrypted file. Anyone who knows the address of this server can view this file. One bank account, whose complete access information has been stored on this remote server, is worth over $350,000.00 USD.

The personal information of thousands of victims is being written to this file on a continuing basis. Sunbelt has been monitoring the file and has discovered that the information it contains is being compressed and archived at regular intervals. The file then is reset to blank so that more information can be written to it.

It is not, as was first reported here and elsewhere, the CoolWebSearch software itself that is stealing this personal information. Rather, the spyware is downloaded and installed by this particular variant of CWS after it is running on the victim's machine. There are two known versions of this spyware. It is unknown at this time whether CoolWebSearch.com or the affiliate responsible for this variant have access to the spyware or the information that it is collecting.

The FBI as well as the US Secret Service are investigating. Neither organization will comment on the matter.

If you suspect that you have this spyware installed, you are urged to install a firewall immediately, then block all outbound access to the internet. Kerio and ZoneLabs both make excellent software firewalls. Then you should contact your bank and credit card companies. Following that, log in from an uninfected machine and change all passwords on web sites where you have an account.

If you determine for a fact that this or any other spyware is installed on your computer and that your financial accounts have been compromised, you should contact your local police department. They should put you in contact with any Federal agency investigating the crime.

So Guys, is CWS one of those scary monsters that can install without your help?? Inquiring minds want to know...

Wow! I'm using FireFox, so I am not at much of a risk for giving our computer CW, but my mom uses IE, although she does not download anything, can she still pick it up on accident?

CoolWebSearch hijackers are invariably installed by exploitation of a wide variety of web browser security holes, the vast majority (but not all) of which target Internet Explorer and its MS Java virtual machine.