Server with stolen logins detected
23rd August 2004 (The Star)
By By RASLAN SHARIF

PETALING JAYA: A computer server has been found storing confidential account login details of Internet users in several countries, including Malaysia.

The usernames and passwords for online banking, Internet access, and online entertainment service accounts - one each - belonging to Internet users in Malaysia were found on the server, according to the Malaysian Computer Emergency Response Team (MyCERT).

MyCERT (www.mycert.org.my) was alerted of the finding last week by its Australian counterpart AusCERT, which also reported that the server held similar information belonging to users in Australia and other countries besides Malaysia.

The information is believed to have been gathered from machines infected by the PWSteal.Banker.B computer virus.

MyCERT acted quickly to prevent further damage after receiving the report from AusCERT, an official said.

"We immediately alerted the respective parties, and they closed down the affected accounts within minutes of being informed," MyCERT manager Solahuddin Shamsuddin told In.Tech last week.

However, no police report was lodged "as we did not have the relevant information on the server, such as its IP (Internet Protocol) address, location or its administrator," he said, adding that it was not known if the server has been closed down, or if authorities in the other countries involved have taken any action.

It is also unclear whether one or more users in Malaysia were affected, or if the service providers concerned have informed them. MyCERT does not give out detailed information on parties affected by Internet abuse.

While only three accounts were compromised, Solahuddin said the breach was still a concern.

"We believe it is serious," he said. "Users should be very concerned (as well) as the impact could be severe."

The PWSteal.Banker.B trojan, which harvests usernames and passwords, spreads in the guise of legitimate software such as free games, movies, or attachments.

Users normally download it unwittingly from online archives, or peer-to-peer file exchanges via services such as IRC, instant messaging and Kazaa, according to MyCERT.

The trojan, which is capable of updating itself, affects computers that run Microsoft Corp's Windows operating system, from Windows 95 and up.

"Users need to take the proper measures to secure their accounts," said Solahuddin.

This includes creating strong passwords that comprise a combination of alphabets, numbers and other characters, and regularly changing them, he added.

He also encouraged users to monitor their accounts for suspicious activities, and to scan their machines for viruses and spyware before changing their username and passwords.