http://www.darkreading.com/document.asp?doc_id=147123&WT.svl=news2_1
http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=9065038
They are providing an application where you can trade and validate [these credentials], and even get their Google page ranking,” says Yuval Ben-Itzhak, CTO at Finjan. “You don’t need to hack or develop your own Trojan, and there’s no need to compromise a server by yourself” to gain access to the FTP servers and ultimately, the victim organization’s Website, he says.
Finjan won’t divulge which organizations’ FTP credentials it found among the stolen, but they include companies in the financial, manufacturing, government, IT, and security industries, many of which Finjan has already alerted in addition to law enforcement. “There were some big names on the list,” Ben-Itzhak says, including some of the world's top 100 domains as ranked by Alexa.com.
The so-called meoryprof.info (Me-or-you-Profit) site is selling username, password, and server addresses of these FTP servers as well as the NeoSploit Version 2 crimeware package, which basically lets the bad guys who buy it instantly infect these sites with malicious code – with the goal of stealing valuable and confidential data from them as well as any visitors to the sites. It also “qualifies” the stolen accounts so that buyers either can then set a price to resell the compromised FTP credentials to other cybercriminals, or determine which are the more potentially lucrative sites to hack.
“With a click of a button they say ‘I want to infect his FTP server’ with the crimeware,” says Ben-Itzhak. Finjan did not test all of the sites to see if they had been infected yet or not.
The San Jose-based vendor announced today that it has uncovered an illegal database containing more than 8,700 stolen File Transfer Protocol server credentials including usernames, passwords and server addresses. Anyone can purchase those credentials and use them to launch malicious attacks against the compromised systems.
The stolen credentials belong to companies from around the world and include more than 2,500 North American companies, some of whose Web sites are among the world's top 100 domains, according to Yuval Ben-Itzhak, Finjan's chief technology officer.
The FTP credentials would allow malicious hackers to break into and upload malware of their choice to compromised servers literally with a click or two, he said. "You could pick any server you wanted in the list, pay for it" and launch an attack with very little effort, Ben-Itzhak said.
A trading interface on the server hosting the illegal database allows purchasers to buy FTP server credentials based on the countries in which the servers are located or even by the Google ranking of the Web sites, Ben-Itzhak said. It also appears to be designed to give criminals looking to resell FTP credentials a better basis for pricing the stolen data, he said.
A newly updated version of a tool kit called NeoSploit, which allows a cybercrook to automatically inject iFrame tags to Web pages on a compromised server, is also available. These tags are used in turn to surreptitiously pull in malicious code from other Web sites, Ben-Itzhak said.
All of the FTP credentials on the database uncovered by Finjan seem to have been harvested previously using Trojan horses and other forms of malware, he said.
|
