RSA FraudAction Research Lab has discovered login information for around 300,000 online bank accounts and 250,000 credit- and debit-card accounts, gathered by a cybercrime gang over the past three years using the Sinowal Trojan.
"This may be one of the most pervasive and advanced pieces of crimeware ever created by fraudsters," according to a blog posted on Friday by RSA, EMC's security unit.
The Sinowal Trojan infects a computer without the owner's knowledge, surreptitiously planting itself onto a computer while the owner is surfing the web, in an attack dubbed a 'drive-by download'.
The malicious code is typically hidden on less familiar websites, often related to porn or gambling, but can also be found lurking on legitimate websites, said Sean Brady, manager of identity protection at RSA.
The Trojan is programmed to execute when the victim visits a particular banking or financial website; it is triggered by more than 2,700 specific URLs, according to RSA. The malware then inserts additional fields into the victim's browser, prompting the victim to type in information such as their PIN and Social Security number, which the website itself does not ask for.
The account information has been stolen since at least February 2006, uninterrupted, and includes email and FTP accounts, according to RSA.
The company has alerted law-enforcement bodies and has provided the compromised account information to the financial institutions involved, Brady said in an interview on Thursday.
"This could be a wake-up call for institutions and end users who have ignored the fact that Trojans are out there," he said.
The Sinowal Trojan has had ties to the identity-theft organisation known as the Russian Business Network, but the hosting facilities of the malware appear to no longer be connected to that group, according to RSA.
"Only rarely do we come across crimeware that has been continually stealing and collecting personal information and payment-card data, and compromising bank accounts, as far back as 2006," the blog post states. "And, in addition to its longevity, Sinowal has also been evolving at a dramatic pace — its rate of attacks spiked upwards from March through September of this year."
