[ISN] Crimeware server exposes breadth of data theft

From: InfoSec News (alerts@private)
Date: Thu May 08 2008 - 00:01:06 PDT


By William Jackson

Last month Researchers at online security company Finjan uncovered a 1.4 
gigabyte cache of stolen data from North America, Europe, the Middle 
East and India on a Malaysian server that provided command and control 
functions for malware attacks in addition to being a drop site for data 
harvested from compromised computers.

“This is a unique example of what we have been talking about for the 
last year,” said Yuval Ben-Itzhak, chief technical officer at Finjan. 
Online thieves are using sophisticated tools to plant malicious code on 
legitimate Web pages, compromising visiting PCs and stealing data.

The data included 5,388 unique log files collected in just a three-week 
period. The files included personal and business e-mails, medical 
records, and financial log-in and transaction information with not only 
credit card and account numbers but also passwords and security codes. 
Although the trend of using Web exploits to steal and market personal 
data has been identified for some time, the discovery of the cache still 
was an eye-opener, Ben-Itzhak said.

“When you see a server with the data there, it’s the difference between 
theory and reality,” he said. “When you see people’s medical records and 
e-mail in this volume, we were kind of shocked.”

Since the discovery in early April, the company’s Malicious Code 
Research Center has discovered two similar servers in different parts 
world with similar data. They appeared to have been in operation for 
shorter periods of time.

Finjan reported the discovery today in the latest issue of the 
“Malicious Page of the Month” bulletin [1].

The crimeserver was discovered by analysts monitoring outgoing traffic 
from a Finjan customer’s network. Following the traffic to its 
destination led them to the unprotected server holding the data. The 
server contained several Trojans and the payload injected into 
compromised Web sites in addition to command and control software for 
the attacks and the stolen data.

“It was just waiting for someone to collect it,” Ben-Itzhak said. Most 
of the data was in raw log files, although “in some parts of the server, 
we found data that had already been processed.”

Finjan analysts needed a week to process the 1.4 gigabytes and determine 
what was there. The log files were traced to 5,878 distinct IP 
addresses. The number of compromised PCs the data was lifted from has 
not been determined, but Ben-Itzhak said it could be as high as double 
the number of IP addresses. Files on the server included 571 log files 
from the United States, 621 from Germany, 322 from France, 308 from 
India, 232 from Great Britain, 150 from Spain, 86 from Canada, 58 from 
Italy, 46 from the Netherlands and 1,037 from Turkey.

The server was registered to a man from Moscow and was hosted in 
Singapore at the time it was discovered. It has since been shut down.

“About every week he was moving the server,” from Russia to China, Hong 
Kong and finally Singapore, Ben-Itzhak said.

In the online black market for stolen information, raw data can be sold 
in bulk for $1,000 for about 100 megabytes, but individual credit card 
numbers with accompanying information can sell for $20 to $50 each. 
Other files can bring hundreds of dollars, depending on their contents.

Ben-Itzhak said the discovery illustrates the breadth of the data theft 
threat. It is not just personal financial data at risk but corporate 
data also. The files included information from what Finjan described as 
40 top-tier global businesses and included sensitive corporate e-mails.

“We entered a new era in which criminals just need to log into their 
‘data supplier’ and download any information suitable for them to 
conduct their crime, be it financial fraud, industrial espionage or 
identity theft,” Ben-Itzhak said.

The company notified more than 40 major international financial 
institutions in the United States, Europe and India whose customers were 
compromised in addition to international law enforcement agencies 
including the FBI.

Ben-Itzhak said the largest financial institutions were not surprised, 
but smaller banks were. Cooperation was good from law enforcement 
agencies, with which the company maintains close relationships, he said.

[1] http://www.finjan.com/mpom

Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Thu May 08 2008 - 00:05:16 PDT