A Report from the Field

Published: 2006-09-29
Last Updated: 2006-09-29 21:46:52 UTC
by Kevin Liston (Version: 2)
0 comment(s)
Kevin Shea wrote in to report:

Yesterday morning (9/27) when dropping off my son at school, I told his first grade teacher about the VML exploits and patch availability. She said she had computers at home and would call her husband to make sure they were patched.

When my signifigant-other picked him up around 5:30, the teachers were all talking about how her husband checked and found out they were infected with one of the trojans. Their bank accounts had been drained, by electronic withdrawals and money transfers. Since it had occurred the day before, the bank (unknown) was able to reverse the transfers and replace the money in their accounts. They won't even bounce a check.

After receiving the report, I had a few questions and I received a prompt follow-up.  What the thieves did with the money was interesting.  Most of the funds were transferred out using one of those services where you can wire cash to people.  I'm not sure if these were wired to other accounts using the intermediary, of it people actually walked up to a counter to retrieve the funds.  They also used funds in this account to purchase background checks at certain people-search/information-broker companies.  Most likely this is an attempt to gather further identities in a way that won't tip-off the broker.

Thanks for the report Kevin, study hard and get good grades next week at SANS Network Security in Las Vegas!  Don't poke your eye out with the antenna in SEC617

UPDATE: For those who do not read daily, the "VML vulnerabilty" refers to:

Keywords: identity theft
0 comment(s)


Diary Archives