NEW YORK (11/7/08)--The log-ons to more than a half million bank, credit and debit card accounts have been stolen over the past two-and-a-half years by a single cyber crime group using a Trojan horse spyware that "morphs" to avoid detection. News Now could not determine whether these included credit union members' accounts. Researchers at RSA Security Inc.'s FraudAction Research Lab discovered the stolen data while they were tracking the Sinowal Trojan horse, also known as Mebroot and Torpig. They tracked the spyware to a drop server that contained the stolen data (Computerworld Oct. 31). RSA investigators found more than 270,000 online banking account credentials, plus about 240,000 credit and debit account numbers and other personal information lifted from Microsoft Windows PCs (WashingtonPost.com Oct. 31). According to Sean Brady, product marketing manager at RSA's ID and access assurance group, the length of time the spyware has been maintained by a single group and the scale of the theft is "very unusual." The Trojan horse malware has been active since at least February 2006. Once on a system, the malware waits for the user to enter the address to an online bank, credit card company site or another financial URL. It then substitutes a fake address. The malware is triggered by more than 2,700 specific Web addresses, a much larger number than other Trojan horses, said Brady. The fake sites collect the log-on usernames and passwords to banks and other financial institutions. They trick users into disclosing information legitimate financial institutions would never collect online, such as Social Security numbers. They transmit the pilfered data to the drop server. RSA Security said it suspected the group responsible is based in Russia. The malware was distributed globally, but Russia was the one region that had no infections.