copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
Search this site

On this site

 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login


Compromised Account Details and Logging FAQ

Date: 16 August 2010

Click here for printable version

Repatriation of data stolen by malware to affected parties

This page explains why AusCERT has contacted your organisation and how AusCERT obtains information captured by malware.

Why has AusCERT contacted your organisation?

AusCERT notifies web site owners when their customers have had information captured by malware. This allows the web site owner to contact their customers so they may take mitigation action. While the data stolen may already have been captured by the criminal behind the malware attack, the harm can be reduced by notifying the affected party that the attack occurred and letting them know about the type of information that has been captured.

For example, once an affected party has been notified of an attack, they can take steps to reduce the risk of identity theft or unauthorised access to their online accounts, and/or remove the malware from the affected computer, as appropriate.

Your organisation has been contacted because it is in a position to directly contact the affected party.

I'm impatient, send me straight to the FAQ

The visual overview:

The diagram explains how the data is generally captured (stolen) by the malware (malicious software). Malicious software is more commonly known as a virus, trojan or worm. The victim's computer has been infected with malware.

  1. A user, with a computer infected with malware, visits a web site such as ours,
  2. The user submits information to the web page/site, such as:
    • Usernames and passwords
    • Credit card and expiry date
    • Name and address
    • Phone numbers
  3. The criminal uses the information captured by the malware for fraudulent purposes.
  4. AusCERT finds the location of the malware logging server through one of two methods:
    • analysis of malicious software; or
    • reports from trusted third parties of a "logging" site
  5. We obtain a copy of the compromised (stolen) data;
  6. We send a request to the party who owns or is responsible for the computer where the logging server is hosted, for the data to be deleted and the server to be fixed.
  7. We use an automated tool to parse the data and split it into one file per domain; and
  8. We send the file to the domain owners.

Note that while the malware may capture a range of information from each compromised computer, only information that relates to a particular domain will be passed to the domain owner. For example, let's say a computer is compromised with malware that captures information and sends it to a logging server. The computer may be used by one or more people with multiple online accounts per person. Let's say one of those users has three online accounts relating to different sites (or domains). One account could be for an email domain; one account could relate to their online banking domain - another could be related to a social networking site. So the captured information will be broken up and sent to the appropriate domain.

Frequently Asked Questions

Here are the most frequently asked questions:

1. Who are you?
AusCERT is the Australian Computer Emergency Response Team, a not-for-profit information security group based at the University of Queensland. We provide assistance to Australian organisations to help mitigate Internet based attacks directed towards their computer networks and/or Australian based Internet users. However, we invariably repatriate data of this nature to any domain owner (regardless of whether they are Australian or not), where we have a suitable contact.

3. What does this mean?
The information captured by the malware which we pass to you relates to a visitor to your web site and possibly a customer, client, or registered/authenticated user of your site. The information captured by the malware varies. It may include search data from web forms; personal identifying information accessed or submitted via web forms; credit card information; bank accounts details; the username and password. Information captured by the trojan bypasses any form of encryption. All the information captured by the malware is generally regarded as sensitive to varying degrees and can be used to steal your customerís money or their identity.

4. Am I infected?
No, we are not saying that your web site (or the domain you manage) has a virus or is distributing malware. Rather, a person with an infected client computer has visited your web site, often with authenticated access to your domain, and the malware captured the information from the infected client computer.

Very occasionally, the information captured by the malware has been captured from a client computer within your network, or from an external computer with trusted access to your internal network.

While the person viewed, submitted or accessed information from your web domain, the malware captured this information and sent it to a logging server set up for that purpose by the criminal behind the attack. The data we have provided to you was obtained from the malware logging server.

5. How do you obtain the information?
We obtain the information through one of two means, which are:
  • analysis of malicious software (trojans and viruses)
  • reports from trusted third parties of a "logging" site

6. What is a malware logging site?
A malware logging site is a remote computer that is set up by the criminal to receive information captured by a malicious program (trojan or virus) from a client computer.

7. What should I do?
We only send relevant data to each owner of a domain. For example, information relating to will only be sent to

Your organisation has been contacted because it is in a position to directly contact the affected party.

We would like you to examine the data and see if you can identify visitors to your web site/domain, in order to let them know that they have used a computer (possibly their own) which has a serious malware infection; and of the need to take appropriate mitigation including removing the malware from their computer (if it is one they own), change passwords for all online accounts and be vigilant for potential fraudulent transactions.

When advising them to change passwords, it is important they do so only from a computer that is not believed to be already compromised with malware. The Stay Smart Online factsheet on Understanding password security provides advice when passwords have been captured by malware.