Victims dont see where their stolen data end up. But sometimes security researchers do, stumbling across stolen-data troves that offer a glimpse of what identity theft looks like from criminals perspective.

Researchers from U.K.-based security firm Prevx found one such trove, a Web site used as a stash house for data from 160,000 infected computers before it was shut down this month.

The find offers a case study on just how much data criminals are stealing every day, from the utterly inconsequential to the alarmingly private.

It also shows the difficulty in shuttering criminals ID-theft beachheads: The Web site that Prevx found, which was operating on a server in Ukraine, was still online for nearly a month after security researchers alerted the Internet service provider and law-enforcement authorities. The site was sucking up data from 5,000 newly infected computers each day.

The victims in the Prevx find are mostly everyday people handing over their passwords for Facebook and banking sites, along with their love notes and other e-mails. But more dangerous personal information is there, too, including Social Security numbers and other account information from one banks infected computer.

Caches of stolen data like these are hidden throughout the Internet, usually locked away inside password-protected Web sites or heavily fortified servers. Prevxs researchers were able to infiltrate this site because it was protected with poor encryption.

In that sense, the find illustrates how even sloppy crooks can vacuum up enormous amounts of information through massive “botnets” – armies of infected computers formed by spreading a computer virus that orders compromised machines to phone home for further instructions, such as sending out spam or relaying passwords.

The botnet Prevx found was only harvesting data, though Prevx said it could have been upgraded to do other things.

Ordinary Internet sessions are logged in great detail. One Southern California 22-year-old could be seen registering a domain name with GoDaddy.com, changing his Yahoo e-mail password and ordering a meal online from Pizza Hut. His credit card number, birth date, telephone number, address and passwords are now all in criminals hands, though its unclear what, if anything, criminals have done with the information yet.

Some victims are gold mines for sensitive data. An infected computer at a Georgia bank exposed customer details and credentials for the banks wire-transfer system. Bank employees were checking e-mail, looking up BMWs and Infinitis and working with customers accounts on the same infected machine.

Government computers were also hit, including one in Texas that coughed up Web site logins for one of the governments health care providers, and another in North Carolina that revealed access to an agencys human resources system.

“This is giving criminals the keys to the castle,” said Prevxs director of malware research, Jacques Erasmus. “Once theyre into this system, it might not seem at this point like its the biggest data heist ever, but this is how they get into a network. This is their game – they do this every day.”

Researchers who discover these stolen-data caches then have to figure out what to do with them. Notifying victims is time-consuming and difficult, and researchers tend to focus on trying to get service providers to deactivate the servers before criminals get to the data on them.

Prevx said it alerted the sites Internet provider, the FBI and U.K. authorities about the breach it discovered. The company also talked to the affected bank, Doraville, Ga.-based Metro City Bank, a community bank whose Web site lists four locations, and Prevx said the bank has removed the infected computer.

One customer – Yoon-Kee Hong, a 22-year-old college student from Suwanee, Ga. – had signed up for an account with Metro City Bank just a month before learning about the breach. He said he had not been alerted by the bank that his Social Security number and other personal details were stolen.

After being told about the breach by The Associated Press, which picked his name from the files provided by Prevx, the student said he planned to cancel his account.

“I cannot trust them any more,” he said. “Theyre not doing what theyre supposed to do. They didnt even notify me. Its like theyre trying to hide it from their customers.”

Source