Repatriation of data stolen by malware to affected parties

This page explains why AusCERT has contacted your organisation and how AusCERT obtains information captured by malware.

Why has AusCERT contacted your organisation?

For example, once an affected party has been notified of an attack, they can take steps to reduce the risk of identity theft or unauthorised access to their online accounts, and/or remove the malware from the affected computer, as appropriate.

Your organisation has been contacted because it is in a position to directly contact the affected party.

I'm impatient, send me straight to the FAQ

The visual overview:

The diagram explains how the data is generally captured (stolen) by the malware (malicious software). Malicious software is more commonly known as a virus, trojan or worm. The victim's computer has been infected with malware.

1. A user, with a computer infected with malware, visits a web site such as ours, www.auscert.org.au
2. The user submits information to the web page/site, such as:
   • Usernames and passwords
   • Credit card and expiry date
   • Name and address
   • Phone numbers
3. The criminal uses the information captured by the malware for fraudulent purposes.
4. AusCERT finds the location of the malware logging server through one of two methods:
   • analysis of malicious software; or
   • reports from trusted third parties of a "logging" site
5. We obtain a copy of the compromised (stolen) data;
6. We send a request to the party who owns or is responsible for the computer where the logging server is hosted, for the data to be deleted and the server to be fixed.
7. We use an automated tool to parse the data and split it into one file per domain; and
8. We send the file to the domain owners.

Note that while the malware may capture a range of information from each compromised computer, only information that relates to a particular domain will be passed to the domain owner. For example, let's say a computer is compromised with malware that captures information and sends it to a logging server. The computer may be used by one or more people with multiple online accounts per person. Let's say one of those users has three online accounts relating to different sites (or domains). One account could be for an email domain; one account could relate to their online banking domain - another could be related to a social networking site. So the captured information will be broken up and sent to the appropriate domain.

Here are the most frequently asked questions:

1. Who are you?
AusCERT is the Australian Computer Emergency Response Team, a not-for-profit information security group based at the University of Queensland. We provide assistance to Australian organisations to help mitigate Internet based attacks directed towards their computer networks and/or Australian based Internet users. However, we invariably repatriate data of this nature to any domain owner (regardless of whether they are Australian or not), where we have a suitable contact.

3. What does this mean?
The information captured by the malware which we pass to you relates to a visitor to your web site and possibly a customer, client, or registered/authenticated user of your site. The information captured by the malware varies. It may include search data from web forms; personal identifying information accessed or submitted via web forms; credit card information; bank accounts details; the username and password. Information captured by the trojan bypasses any form of encryption. All the information captured by the malware is generally regarded as sensitive to varying degrees and can be used to steal your customer’s money or their identity.

Very occasionally, the information captured by the malware has been captured from a client computer within your network, or from an external computer with trusted access to your internal network.

While the person viewed, submitted or accessed information from your web domain, the malware captured this information and sent it to a logging server set up for that purpose by the criminal behind the attack. The data we have provided to you was obtained from the malware logging server.

• analysis of malicious software (trojans and viruses)
• reports from trusted third parties of a "logging" site

6. What is a malware logging site?
A malware logging site is a remote computer that is set up by the criminal to receive information captured by a malicious program (trojan or virus) from a client computer.

7. What should I do?
We only send relevant data to each owner of a domain. For example, information relating to auscert.org.au will only be sent to auscert.org.au.

Your organisation has been contacted because it is in a position to directly contact the affected party.

When advising them to change passwords, it is important they do so only from a computer that is not believed to be already compromised with malware. The Stay Smart Online factsheet on Understanding password security provides advice when passwords have been captured by malware.