Smash hit

Stolen data offered on foreign websites is usually obtained from hacking into the database of an online company to obtain customers’ details or from infiltrating a personal computer.

While nearly all computer users are alert to the threat from viruses, many are unaware of trojans, which can covertly install themselves via a website or e-mail attachment.

Carole Theriault, senior security consultant at Sophos, an internet security company, said: “Viruses basically had bells and whistles to say ‘we’ve got you’ and spread rapidly around the internet. Trojans are very different. They don’t spread on their own and may not even affect the performance of your computer, but when you go on sites like eBay or check your account online, they can record the keys you press.

“About 70% of the reports of new threats of malicious software are trojans. The people who send them out don’t hit so many computers because they don’t want to make the headlines.”

Theriault said that a firewall and regularly updated anti-virus software would help reduce the threat from trojans, but there was no 100% solution. “It’s like driving a car,” she said. “There’s always a risk. You just have to do everything you can to reduce it.”

One of the problems is that some trojans are not always identified by anti-virus software. One trojan, called A311 Death or Haxdoor, has infected an estimated 35,000 computers worldwide, including 10,000 in Australia.

A warning from the Australian Computer Emergency Response Team stated: “If your computer is already compromised with an input/output monitoring trojan, SSL (encryption) cannot prevent the trojan from capturing web form data, keystrokes, and passwords.”

()

In the UK many people are unaware of the threat. An official Home Office leaflet providing advice on identity theft does not even mention the importance of computer security. The government does, however, support a website, Get Safe Online, which provides information on protecting a home computer.

Despite the warnings and security software available, obtaining personal data stolen from British computers is easy. It is also cheap, with passwords being traded online for as little as £1.

Using an internet Cyrillic keyboard to enter the word “carding” on the Google search engine, a Russian-speaking Sunday Times reporter was presented with an array of sites offering stolen data and bogus identity documents.

One website — called carders0.tripod.com — had a virtual shopping basket of identity fraud, with “buy now” icons next to every item. The products on sale included credit cards — both fake and real — driving licences, travellers’ cheques, fake passports and machines to make credit cards. The site included starter packs for fledgling fraudsters as well.

The same site also offered a service called Rebirth in which visitors were offered the chance to “buy a whole new identity from Britain or Ireland”. Costing £13,000, the package offered a new passport and a birth certificate. The Sunday Times was unable to confirm whether genuine documents would be exchanged for an online payment.

At the lower end of the scale, a range of websites offered stolen data that could be used to access subscription services, pay for goods online or transfer funds. Some of the data are even posted for free as samples to interested buyers. After using the data, one user of www.carder.info commented on the website: “Thanks, found some valid stuff. Put up more.”

The batch of stolen data provided to the reporter included passwords for e-mail accounts, credit card numbers and home telephone numbers of people in Bishop’s Stortford in Hertfordshire, Spalding in Lincolnshire, Blackpool, Hartlepool and Glasgow.

A week after the reporter was given the sample, she was able to retrieve the passwords for the PayPal accounts of 19 Britons from the site. The information would enable fraudsters to gain access to accounts and transfer funds.

The www.carder.info site is registered to 340 Pushkinskaya in Moscow. The house number does not exist. The Russian-based company that hosts the site, Net of National Telecommunications, would not comment last week, but is understood to be in contact with police about any suspected illegal transactions.

Lennart Ehlinger, group security controller for the London-based Unibet, said it was difficult to detect fraudulent use of credit cards if the fraudster was able to provide a security code, number and home address.

A spokesman for Apacs, the UK payments association, said hackers who stole personal information often evaded detection by using a network of foreign websites.

A spokesman for PayPal said its servers were secure, but information on passwords was sometimes compromised by trojan software and “phishing”, which uses spoof websites to obtain user information.

Additional reporting: Mark Franchetti in Moscow

HOW TO STAY SAFE ONLINE

The risks can never be wholly eliminated, but experts recommend:

Explore UK News

• Crime News

• Education News

• Health News

• Scotland News

Times Recommends

• Times Christmas appeal: Letter from the Editor
• Conferences — what a waste of money
• Schools supremo learns a painful lesson