Criminals log in to download what suits them
Finjan Inc., a leader in secure web gateway products, has discovered a server controlled by hackers (Crimeserver) containing more than 1.4 Gigabyte of business and personal data stolen from infected PCs. The data included 5,388 unique log files collected in just a three-week period. The files included personal and business e-mails, medical records, and financial log-in and transaction information with, not only credit card and account numbers but also passwords and security codes. Although the trend of using Web exploits to steal and market personal data has been identified for some time, the discovery of the cache still was an eye-opener, said CTO of Finjan, Yuval Ben-Itzhak.
“When you see a server with the data there, it’s the difference between theory and reality,” he said. “When you see people’s medical records and e-mail in this volume, we were kind of shocked.”
Compromised data came from around the world and contained information from individuals, businesses, as well as renowned organizations, including healthcare providers. The server contained among others 571 log files from the US, 621 from Germany (DE), 322 from France (FR), 308 from India (IN), 232 from Great Britain (GB), 150 from Spain (ES), 86 from Canada (CA), 58 from Italy (IT), 46 from the Netherlands (NL), and 1,037 from Turkey (TR).
The server was registered to a man from Moscow and was hosted in Singapore at the time it was discovered. It has since been shut down. “About every week he was moving the server,” from Russia to China, Hong Kong and finally Singapore, Ben-Itzhak said.
Due to the sheer impact, Finjan followed its company guidelines and promptly notified over 40 major international financial institutions located in the US, Europe and India whose customers were compromised as well as various law enforcements around the world.
The report contains examples of compromised data that Finjan found on the Crimeserver in the form of Compromised patient data: Compromised bank customer data; Business- related email communications and Captured Outlook accounts containing email communication.
Finjan’s Malicious Code Research Center (MCRC) detected a Crimeserver which was used as a command and control for the Crimeware that was executed on infected PCs. This Crimeserver was also used as the “drop site” for private information being harvested by that Crimeware.
The Command & Control applications on this Crimeserver enabled the hacker to manage the actions and performance of his Crimeware, giving him control over the uses of the Crimeware as well as its victims. Since the stolen data was left unprotected on the Crimeserver, without any access restrictions or encryption, the data were freely available for anyone on the web, including criminal elements.
“This report provides a unique example of the type and amount of data today’s cybercriminals are collecting. Crimeware infected PCs are a serious business problem that requires proactive action since it is no longer just a technical IT problem.The existence of large amount of data on a server that hackers can easily manage and control shows the rapid evolution of cybercrime,” said Ben-Itzhak,
“We entered a new era in which criminals just need to log into their “data supplier” and download any information suitable for them to conduct their crime – being it financial fraud, industrial espionage or identity theft.”
Since the discovery in early April, the company’s Malicious Code Research Center has discovered two similar servers in different parts world with similar data. They appeared to have been in operation for shorter periods of time.
The crimeserver was discovered by analysts monitoring outgoing traffic from a Finjan customer’s network. Following the traffic to its destination led them to the unprotected server holding the data. The server contained several Trojans and the payload injected into compromised Web sites in addition to command and control software for the attacks and the stolen data.
“It was just waiting for someone to collect it,” Ben-Itzhak said. Most of the data was in raw log files, although “in some parts of the server, we found data that had already been processed.”
Finjan analysts needed a week to process the 1.4 gigabytes and determine what was there. The log files were traced to 5,878 distinct IP addresses. The number of compromised PCs the data was lifted from has not been determined, but Ben-Itzhak said it could be as high as double the number of IP addresses.
According to Finjan, the fact that sensitive business and personal data in more than 5,000 cases were compromised in a timeframe of less than one calendar month indicates that the current numbers quoted in the industry reflect only the tip of the Cybercrime iceberg.
According to GCN daily, In the online black market for stolen information, raw data can be sold in bulk for $1,000 for about 100 megabytes, but individual credit card numbers with accompanying information can sell for $20 to $50 each. Other files can bring hundreds of dollars, depending on their contents.
The compromised data and the Command and Control applications were detected using Finjan’s patented active real-time code inspection technology while diagnosing users’ web traffic. The research is described in detail in Finjan’s latest “Malicious Page of the Month” report.
Report downloadable at http://www.finjan.com/mpom
Sources: http:www.finjan.com
http:www.gcn.com