• PC World
• »Security

Your Stolen Data Free on the Web

Danger level: High | Likelihood: Medium | Target: Windows users

It's bad enough when one crook uses a keylogger to steal your bank log-in and passwords. It's much, much worse to have all of your sensitive information sitting in an unprotected FTP site, open to anyone who happens across it.

Unfortunately, that is exactly what security researchers have started seeing over the past year.

Alex Eckelberry of antispyware firm Sunbelt Software showed me one such FTP server that his company had found while investigating a keylogger that wasn't even particularly widespread. The server, based in Washington, D.C., was packed with nearly a gigabyte of credentials stolen during the month of April.

Not only do keyloggers capture anything you type, they can take screen shots of your PC's display, and they can glean data from the Windows Protected Storage area, which is the place where Internet Explorer stores its saved passwords.

One of the log files on the FTP server held pilfered passwords for a number of U.S. banks and for Buy.com, along with Yahoo, Hotmail, and other e-mail account user names and passwords, plus account details for online casinos and a host of other sites. The danger is international: The log records were in myriad languages--German, Spanish, Hungarian, Turkish, and Japanese, among others--and it held IP addresses that pointed to infected computers scattered around the world.

When his company discovered the first cache of keylogger data more than a year ago, Eckelberry says he alerted the banks and companies whose credentials had been scavenged by the logger.

Tim Brown, owner of Kingdom Sewing & Vacuum in Northridge, California, was one recipient of such a call from Sunbelt. He figures that his bank log-in was lifted by a keylogger when he was on a trip to Costa Rica and used a hotel computer To check his account. But his home computers weren't safe, either: "I didn't have any antivirus or spam blockers on my computers," he says. "I do now."

Brown was relatively lucky: He was notified before anyone had used his stolen data, and he immediately changed his account information to protect himself.

Thousands of other potential victims may not be that fortunate. And these days, Sunbelt is uncovering so many data vaults that it can't handle the sheer volume of stolen credentials, so it has stopped contacting individuals and simply reports what it finds to the FBI.

With this much data available, there has been no rush to create new keyloggers, says Sunbelt's Eric Sites. According to the Anti-Phishing Working Group, a business and law enforcement association, there were 180 unique keylogger programs in April, far more than the 77 found in April of last year but a slight drop from the three months prior.

Sites concludes that the maturing malware business is focusing its attention on efficiently processing its cornucopia of stolen information. "The collection and sorting and manipulation of keylogger data [are] getting dropped into SQL databases," he says. "Then [the criminals] can churn through the data to find what they're looking for. Those back-end systems are incredibly complex."