A well-organized crime gang has stolen credentials for more than a half-million financial accounts in less than three years using a sophisticated trojan that remains undetectable to the vast majority of its victims, a report published Friday warns.

The haul of bank, credit, and debit card account numbers stolen by the Sinowal trojan is among the largest ever discovered. It was unearthed by researchers at RSA's FraudAction Research Lab. They say the program, which is also known as Torpig and Mebroot, has been operating non-stop for almost three years, an unusually long time in the fly-by-night world of cybercrime.

"Only rarely do we come across crimeware that has been continually stealing and collecting personal information and payment card data, and compromising bank accounts as far back as 2006," RSA researchers wrote.

What's more, Sinowal has only managed to become more productive over time. In the past six months, it has compromised more than 100,000 accounts. Since February, the number of variants has spiked, from fewer than 25 per month to more than 70, according to RSA. The increase helps the malware evade detection by anti-virus programs.

In all, the trojan has infected at least 300,000 Windows machines and stolen 270,000 online banking account numbers and 240,000 credit and debit credentials.

Sinowal is impressive for other reasons as well. Unlike many trojans, it doesn't rely on tricking the end user into clicking on a link or file to get installed. Rather, it spreads silently via websites that prey on unpatched vulnerabilities in the Windows operating system or in third-party applications, such as Adobe Flash and Apple's QuickTime media player.

"This particular trojan can get installed without even awareness of the end-user that they have agreed to anything or that anything has been installed," Sean Brady, manager of identity protection at RSA, said in an interview.

It then hides itself on a computer's master boot record, making the infection extremely difficult to find. About the only remedy for victims fortunate enough to learn they are contaminated is to reformat their hard drive and reinstall their operating system.

Brady said RSA has shared the data it discovered with affected banks in the hopes they will notify customers who are infected.

Sinowal sits dormant on a machine until a user points a browser at the website of a bank or other financial institution. Then an HTML injection engine adds fields to the website's login page that prompt victims to enter social security numbers, passwords, and other credentials. Once entered, the information is transmitted to a server under the control of the malware authors. The injection mechanism is triggered by more than 2,700 different web addresses.

Little is known about the group responsible for Sinowal, but at least one clue suggests the group has ties to Russia: While the trojan targets institutions in dozens of countries in North America, Europe and Asia, none were located in Russia. ®

Related stories

• Malware burrows deep into computer BIOS to escape AV (14 September 2011)

  https://www.theregister.com/2011/09/14/bios_rootkit_discovered/

• Finnish police raids target virtual thieves (2 June 2010)

  https://www.theregister.com/2010/06/02/habbo_hotel/

• Feds investigate theft of $3m from NY school (5 January 2010)

  https://www.theregister.com/2010/01/05/school_district_bank_theft/

• Next-gen Trojan rewrites bank statements (1 October 2009)

  https://www.theregister.com/2009/10/01/next_gen_bank_trojan/

• Trojan zaps banking credentials via IM (27 August 2009)

  https://www.theregister.com/2009/08/27/zeus_adopts_instant_messaging/

• Cybercrime server exposed through Google cache (23 March 2009)

  https://www.theregister.com/2009/03/23/cache_exposes_cybercrime_data/

• Crackers latch onto year-old Windows token vuln (18 March 2009)

  https://www.theregister.com/2009/03/18/windows_token_vuln/

• Adobe Flash vulnerable to remote-execution exploit (24 February 2009)

  https://www.theregister.com/2009/02/24/adobe_flash_vulnerability/

• Trio indicted over Trojan brokerage scam (8 December 2008)

  https://www.theregister.com/2008/12/08/trojan_brokerage_scam/

• Green Hills spins out military Integrity for masses (5 December 2008)

  https://www.theregister.com/2008/12/05/green_hills_integrity_spinout/

• MPs (finally) debate cybercrime (7 November 2008)

  https://www.theregister.com/2008/11/07/mps_debate_cybercrime/

• Man cops to $1m phony bar code shoplifting scheme (4 November 2008)

  https://www.theregister.com/2008/11/04/phony_upc_theft_scheme/

• Security researchers lift the lid on Torpig banking Trojan (31 October 2008)

  https://www.theregister.com/2008/10/31/torpig_banking_trojan/

• Excuse me sir: there's a rootkit in your master boot record (9 January 2008)

  https://www.theregister.com/2008/01/09/mbr_rootkit/

• Kaspersky: Maxtor markets password-pilfering Dutch disk drives (19 September 2007)

  https://www.theregister.com/2007/09/19/maxtor_harddrives_include_virus/

• The return of the ransom-ware Trojan (19 July 2007)

  https://www.theregister.com/2007/07/19/ransomware_trojan/

• 0wning Vista from the boot (26 April 2007)

  https://www.theregister.com/2007/04/26/vbootkit_authors_interview/

• Hackers debut malware loaded USB ruse (25 April 2007)

  https://www.theregister.com/2007/04/25/usb_malware/