More than 8,700 FTP log-in names and passwords are being peddled at an online auction site for stolen data, according to security firm Finjan. The site includes software that lets criminals hack Web servers and automatically inject crimeware that infects visitors to the Web site.
Some of the information opens a back door into Fortune 500 companies in manufacturing, telecom, media, online retail and IT, as well as government agencies. The stolen FTP accounts include some of the world's top 100 domains as ranked by Alexa.com.
Putting a Price on Stolen Data
Finjan's Malicious Code Research Center detailed the workings of the software, dubbed the NeoSploit 2 toolkit, that is designed to exploit and trade FTP account credentials stolen from legitimate companies.
Here's how it works: The software uses an eBay-like trading interface to qualify the stolen accounts in terms of the country where the server is located and the Google page ranking of the compromised server. Cybercriminals use the information to set a price for the compromised FTP credentials so they can be resold to other cybercriminals or adjust an attack on more prominent sites. The software also allows cybercriminals to use the FTP credentials to automatically inject HTML IFrame tags into Web pages on the compromised server.
"Software as a service (SaaS) has been evolving for sometime, but until now it has been applied only to legitimate applications. With this new trading application, cybercriminals have an instant 'solution' to their 'problem' of gaining access to FTP credentials and thus infecting both the legitimate Web sites and its unsuspecting visitors. All of this can be easily achieved with just one push of a button," said Yuval Ben-Itzhak, CTO of Finjan.
According to Finjan, the NeoSploit 2 toolkit marks a serious escalation of crimeware potential, since it uses the SaaS business model.
The fact that cybercriminals are becoming more organized and sophisticated shouldn't be news to any IT department fighting the ever-growing threat. However, many businesses will be wondering if they might be the next victim, according to Graham Cluley, a senior technology consultant at Sophos.
Criminals Target the Unsuspecting
Sophos experts are discovering 6,000 newly infected Web pages every day -- that's one every 14 seconds. Eighty-three percent of those Web pages belong to companies and individuals who are not aware that their sites have been hacked.
"Criminal gangs are not only infecting Web pages, they are also trading user names and passwords to waltz straight onto corporate Web sites and plant dangerous code," Cluley said. "That means that even if your Web site does not have a vulnerability on it which can be exploited, the hackers can walk in through a side entrance."
Criminals can then target any computer user by sending e-mails containing links to the poisoned Web pages, directing victims to the malicious code. In some cases, Cluley said, the Web sites can even determine if the visitor is using a Mac or a PC, and deliver malware custom-written for the surfer's operating system.
"IT departments should regularly audit the user names and passwords which have FTP access to their Web site, and ensure that passwords are changed regularly so that if they do fall into the wrong hands, they cannot be abused for too long," Cluley said. "Some firms may wish to implement additional authentication methods to ensure that the person uploading code to the Web site really is who he or she claims to be."
The bottom line is that the money to be made through cybercrime is astronomical. Like other security analysts, Cluley said we can expect more criminals to adopt techniques used by legitimate businesses and software developers to streamline their activities.