Crimeware server exposes breadth of data theft
- By William Jackson
- May 06, 2008
Last month Researchers at online security company Finjan
uncovered a 1.4 gigabyte cache of stolen data from North America,
Europe, the Middle East and India on a Malaysian server that
provided command and control functions for malware attacks in
addition to being a drop site for data harvested from compromised
'This is a unique example of what we have been talking
about for the last year,' said Yuval Ben-Itzhak, chief
technical officer at Finjan. Online thieves are using sophisticated
tools to plant malicious code on legitimate Web pages, compromising
visiting PCs and stealing data.
The data included 5,388 unique log files collected in just a
three-week period. The files included personal and business
e-mails, medical records, and financial log-in and transaction
information with not only credit card and account numbers but also
passwords and security codes. Although the trend of using Web
exploits to steal and market personal data has been identified for
some time, the discovery of the cache still was an eye-opener,
'When you see a server with the data there, it's the
difference between theory and reality,' he said. 'When
you see people's medical records and e-mail in this volume,
we were kind of shocked.'
Since the discovery in early April, the company's
Malicious Code Research Center has discovered two similar servers
in different parts world with similar data. They appeared to have
been in operation for shorter periods of time.
Finjan reported the discovery today in the latest
issue of the 'Malicious Page of the Month'
The crimeserver was discovered by analysts monitoring outgoing
traffic from a Finjan customer's network. Following the
traffic to its destination led them to the unprotected server
holding the data. The server contained several Trojans and the
payload injected into compromised Web sites in addition to command
and control software for the attacks and the stolen data.
'It was just waiting for someone to collect it,'
Ben-Itzhak said. Most of the data was in raw log files, although
'in some parts of the server, we found data that had already
Finjan analysts needed a week to process the 1.4 gigabytes and
determine what was there. The log files were traced to 5,878
distinct IP addresses. The number of compromised PCs the data was
lifted from has not been determined, but Ben-Itzhak said it could
be as high as double the number of IP addresses. Files on the
server included 571 log files from the United States, 621 from
Germany, 322 from France, 308 from India, 232 from Great Britain,
150 from Spain, 86 from Canada, 58 from Italy, 46 from the
Netherlands and 1,037 from Turkey.
The server was registered to a man from Moscow and was hosted in
Singapore at the time it was discovered. It has since been shut
'About every week he was moving the server,' from
Russia to China, Hong Kong and finally Singapore, Ben-Itzhak
In the online black market for stolen information, raw data can
be sold in bulk for $1,000 for about 100 megabytes, but individual
credit card numbers with accompanying information can sell for $20
to $50 each. Other files can bring hundreds of dollars, depending
on their contents.
Ben-Itzhak said the discovery illustrates the breadth of the
data theft threat. It is not just personal financial data at risk
but corporate data also. The files included information from what
Finjan described as 40 top-tier global businesses and included
sensitive corporate e-mails.
'We entered a new era in which criminals just need to log
into their 'data supplier' and download any information
suitable for them to conduct their crime, be it financial fraud,
industrial espionage or identity theft,' Ben-Itzhak said.
The company notified more than 40 major international financial
institutions in the United States, Europe and India whose customers
were compromised in addition to international law enforcement
agencies including the FBI.
Ben-Itzhak said the largest financial institutions were not
surprised, but smaller banks were. Cooperation was good from law
enforcement agencies, with which the company maintains close
relationships, he said.
William Jackson is freelance writer and the author of the CyberEye blog.