Two large botnets that control 150,000 compromised computers are hacking into users' online shopping carts to steal credit card numbers, bank account details, and log-on passwords, a security company said Friday.

The botnets, said Foster City, Calif.-based FaceTime, were discovered, probed, and disclosed to authorities with the help of an insider who tipped off the company's security researchers and showed them the inner workings of the bot underground.

According to Chris Boyd, the security research manager for FaceTime, the bots, or hacked PCs, were accumulated by seeding Trojan horses via instant messaging networks. Recipients naive enough to click on the IMs' embedded link ended up with remote access applications secretly installed on their PCs; the attacker then used that software to install as many as 40 additional pieces of malware.

"They're using the kitchen sink approach times one hundred," said Boyd. Among the installs by the botnet's herder, or controller, Boyd found adware, keyloggers, and much more sophisticated applications.

One, dubbed "Carder," is a customizable Perl script designed to sniff out exploits in several e-commerce shopping cart applications. If Carder identifies a vulnerability, both personal data can be snatched from the individual PC, and database information -- including large numbers of credit card account number, usernames, passwords, home addresses, and the like -- can be hijacked from the e-tailer's back-end systems.

"If you can't trust the payment systems [on e-commerce retailers], you'll think twice about using the Internet," said Boyd.

Part of the problem is that it's impossible to know exactly what shopping cart vulnerabilities are under attack at any given moment since Carder is so customizable. "They're working on the fly, and messing around with the [Perl] code to change the types of data it goes after," said Boyd. "They're always looking for the latest vulnerability, which makes it difficult to tackle."

Boyd was turned on to the botnets by a former hacker, now gone straight, who uses the screen name "RinCe." With RinCe's help, Boyd was able to monitor the botnet operators, get a feel for how they were organized, and understand the pecking order.

"There's a small percentage pulling the strings," Boyd said as he outlined the botnet hierarchy. "They're trading bot code right and left," he said, "but the people who run these [trading sites] are usually putting their own backdoors in the code they share, so they end up with the data."