Tough Clampdown

Businesses that spot the Clampi application on one of their computers should be aware that it has probably managed to spread to other parts of their networks.

Security experts have been tracking the Clampi banking Trojan all year; it can steal victims' online banking passwords. They are now realizing that, unlike other Trojans, Clampi is unusually adept at spreading itself from system to system, according to an article published Friday in Brian Krebs' Security Fix column in The Washington Post.

Besides stealing crucial information, Clampi, can also download a Microsoft Corp. utility called PsExec that it uses to find new computers on the network to which it can spread.

In August, the Sand Springs, Okla., School District reportedly was hit by Clampi, which sent the agency's online banking credentials to thieves who used the information to create bogus payroll disbursements totaling more than $150,000. The district initially suspected that a single machine was the source of the problem; an investigation found that the computer was infected with Clampi, as were many other machines on the district's network.

Joe Stewart, a researcher at the security company SecureWorks, recently wrote in a paper that Clampi is "one of the largest and most professional thieving operations on the Internet."

Bad Assumption

Some visitors to The New York Times' Web site last weekend got more than just the daily headlines; some readers' computers were also infected with a malicious application that had been hidden in a bogus advertisement.

After complaints from visitors began to emerge, the Times moved quickly to block some of the ads on its site. However, the newspaper's initial attention focused on third parties rather than its own quality-control efforts, and this assumption delayed resolution.

About half the advertisements on the Times' site are provided by third-party ad networks, which the company thought had supplied a "rogue ad," the paper wrote in an article Tuesday. But complaints continued to arrive even after the company blocked these ads.

Instead, it appears that someone managed to impersonate a legitimate advertiser, Vonage, and convinced the Times to publish a new ad, possibly late Friday.

Visitors reported seeing pop-up ads all through the weekend warning that their systems may have been infected with a virus and urging them to buy an anti-virus program, a technique known as scareware.

"Our first instinct was that it was a third-party ad network," Marc Frons, the chief technology officer for The New York Times Co., said in the article. "That is where we looked first and why it took a longer amount of time to shut down."

Because it thought the ads were coming from a known advertiser, the Times did not vet the new campaign, but it said it will no longer permit any advertiser to use unfamiliar third-party vendors.

The Times began warning readers about the problem Sunday; it was unclear how many people had seen the advertisements.


A phishing scam burned a Brunswick, Maine, heating oil company and may have exposed the bank account details of hundreds of customers.

Downeast Energy and Building Supply discovered last week that an employee had been fooled by a phishing e-mail that purported to come from the company's bank, KeyCorp, the Portland Press Herald reported Tuesday. The employee visited a fake Key site and typed in the company's online banking credentials.

Scammers, probably based in Eastern Europe, later used the information to steal as much as $150,000 from the account. Downeast Energy uses the same account to let people pay their bills electronically, giving the criminals access to its customers' names and bank account numbers.

The company mailed letters last week to about 800 customers who might have been affected. Downeast Energy said there is "no chance" it will be able to recover any of the lost money.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.