Over the past three years a powerful Trojan maintained by a cybercrime organization has been responsible for stealing the usernames and passwords of nearly half a million bank accounts and nearly as many credit card numbers. Researchers captured some of the Trojan’s (known as Sinowal, Mebroot or Torpig) code and used it to track down its drop server full of the stolen information. Further research showed it’s been active since early 2006.

The Trojan works by waiting for the user to enter the URL for a banking or credit card site. Once it senses one, it replaces it with a fake one that captures the user’s details. So far it’s known to have the ability to sense nearly 3,000 different URLs, and is not detected by most anti-virus programs. It does this by using a rootkit to infect a PC’s master boot record, making it practically invisible.

Not surprisingly, security experts believe the criminals running the malware are in Russia, since that is the only company no infections have been detected in. They’ve made banks, credit card companies and law enforcement aware of the situation, but don’t rely on them to protect you. Use your common sense. Never click on a link in an email from any financial institution you do business with, and remember they will never, ever ask you for your password, account number, or any other personal info via email. Also be wary of emails offering links to videos of news stories, celebs, or anything else. Most of the time clicking on them will take you to a malicious site.

If you think you’ve been the victim of this Trojan, contact your bank or credit card company right away, and disconnect your system from the internet and any internal networks until you’ve cleaned out any infections.