More details emerge of Haxdoor hacking victims

More users may have fallen victim to the same cyber attack that exposed the credit card and other details of UK computer users.

More details emerge of Haxdoor hacking victims

The Metropolitan Police force said yesterday that it had been working with US authorities to recover details of UK victims from a compromised computer found to contain confidential and personal information resulting from an Internet-borne attack.

F-Secure‘s Chief Research Officer, Mikko Hyppönen, said that F-Secure had ‘assisted Metropolitan Police on the case’, and that the stolen information was the ill-gotten gains of a variant of the Haxdoor Trojan.

‘When Haxdoor.AL has infected a PC, it collects anything you type into any web form and sends it a predefined server. Different variants use different servers,’ he said. ‘Haxdoor, aka A-311 Death, is used by several different attackers and is typically spammed out as an email attachment. It’s not a virus so it doesn’t spread further from the infected machines.’

Hyppönen said that the Met and the US authorities had gained access to one of these servers where the stolen information was sent. ‘[The Met] searched the logs for information that was obviously from UK users and then contacted the ones that they could identify. So vast majority of the people hit by this one variant have not been informed (and probably never will be),’ he said.

At least one of the problems behind this is that there are multiple variants of HaxDoor, and the reason for this is that is publicly available commercially and easy to edit and modify. ‘A-311 Death is developed by a Russian hacker called “Corpse” (aka Korpsov), said Hyppönen. ‘He’s selling a toolkit that people can use to generate rootkit-hidden keyloggers like this one.’

While it’s not clear how the stolen data identified by the Metropolitan Police was being used, Hyppönen said that log files of the data stored on these servers are being traded online. ‘We have seen Haxdoor logs being resold on hacker boards by the megabyte,’ he said, and sent us the accompanying screenshot.

The Met has said it is emailing the UK victims it has identified on the compromised machine held by the US authorities. It is alerting UK computer users that emails will be sent from the met.police.uk domain and they will contain contact details for the detectives involved in the case.

Even so, this itself could be enough information for a discerning attacker to create a new campaign targeting worried UK computer users, as sender addresses are easy enough to spoof.

‘I know what you mean,’ said Hyppönen. ‘Then again, I don’t really know what else they could do than try to email the victims. Signing the mails would be nice, but the only signing system in any kind of widespread use would be PGP and most users wouldn’t have it anyway.’

Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.

Todays Highlights
How to See Google Search History
how to download photos from google photos