Some of those accounts are apparently from credit unions, the company says, although none are from credit unions served by SecureWorks, which says it already had counter-measures in place against the so-named Prg Trojan.

The Prg Trojan first showed up in October. Several new variants have recently emerged, infecting computers of end users who click on infected links within e-mails or attachments.

The Prg variants apparently share the ability to sniff sensitive data from Windows internal memory buffers before they're encrypted and sent to SSL-protected Web sites.

"The data being stolen includes any sensitive information that a user would normally feel safe entering into a Web site because the browser 'padlock' icon indicates that it's protected by SSL," says SecureWorks researcher Don Jackson.

"However, because of the way this Trojan copies the data before encryption, any data sent to any secure Web site is easily stolen and sent directly to the computer run by these cyber criminals," Jackson says.

SecureWorks says it immediately notified its research partners and law enforcement when it discovered the apparent caches of stolen data.

"We have an extensive network of contacts with security officers at various banks and credit unions across the country, so we definitely reach out to those contacts should they have infected members or employees, notifying them and working with them to identify the Trojan and help them clear it off their computers and make them safe," Wilson says.

"We also contact law enforcement and they contact the victims, unless we let them know we already have contacts within the organization," the SecureWorks vice president says.

The Trojan and its construction kit are being sold through underground forums and distributed in various ways, including by e-mails with such subject lines as "HAPPY FATHER'S DAY–someone special has sent you a greeting." (That particular come-on came from fraudsters using an IP address in the Russian space, SecureWorks says.)

Some groups also are naming their attacks after cars, such as "Ford" and "Mercedes," as they exploit vulnerabilities in Windows and Internet Explorer and test the abilities of anti-virus vendors to stop them.

Indeed, what also makes the Prg Trojan so lethal is the way it hides from anti-virus software. And then there's the ability of hackers to rapidly launch new variations of the attack, Jackson says.

"Using the construction kit, the Prg Trojan code is recompiled to hide its 'genetics,' and the executable file is processed with a new compression and anti-forensic utility called a 'packer,'" the SecureWorks

researcher says.

The newer variants are also more configurable, he says, and the fraudsters have figured out ways to encrypt the data to both keep thieves stealing from other thieves and to hide their efforts from analysis tools widely used by the white hats.

The hackers also are apparently using stager serving areas that allow them to quickly release new variants of the Prg Trojan each time anti-virus software begins to detect the latest executable code, Jackson says.

"Having undetectable variants available to be launched at a moment's notice makes it very difficult for the anti-virus vendors to keep up," he says.

"The hackers are literally infecting thousands of users with a particular variant and once that version of the Trojan is blocked by anti-virus, they simply launch a new one in its place," he says.

Wilson says no SecureWorks clients were attacked by the Prg Trojan, "and we protect a lot of credit unions."

"But not every credit union is a client," the SecureWorks vice president says.

And more attacks can be expected.

"The truth is, nobody knows how many people purchased the Trojan code, how many attacks are under way and how many are planned," Jackson says.

"Meanwhile, corporate PCs and home PC users are bleeding sensitive information by the gigabyte," the SecureWorks researcher says.

–[email protected]