Finjan Unearths Hackers’ Stash of Pilfered Server Access Codes

The precarious nature of data security — and accounts’ vulnerability to hackers — came to light Wednesday when Finjan said it had found a cache of more than 8,700 stolen File Transfer Protocol server credentials.

The stolen account information, containing usernames, passwords and server addresses, were connected to Fortune-level companies and government agencies around the world, said Finjan, a data security vendor based in San Jose, Calif. The find included data connected to 2,621 U.S.-based firms.

The companies cover a variety of industries, including manufacturing, media, online retail, telecom and IT, in addition to government bureaus.

Injecting Malware

Among the stolen accounts are some of the world’s top 100 domains as ranked by Alexa.com, Finjan said.

“The type of domains that are on the list, we’re talking here top domains in the world, like top 500, top 100,” said Yuval Ben-Itzhak, Finjan’s chief technology officer.

Finjan found the pirated information when it detected the database was hosting the NeoSploit Version 2 crimeware toolkit. The malware facilitates gaining access to credentials while infecting entire Web sites and their visitors, Ben-Itzhak noted.

The stolen credentials enable hackers to compromise servers and automatically inject malware to infect users who simply click into them.

Not a ‘Lone Wolf’ Attack

“It sounds better organized than in the past,” Charles King, principal at Pund-IT, told the E-Commerce Times. “The concept of hackers having access to essentially a treasure trove of server access data is pretty scary.”

It’s likely too organized to be an individual hacker. “The traditional view of hackers has tended to be lone wolves or small groups taking independent action,” King added. “But there is growing evidence over the past year or two that hackers with ties to organized crime have become increasingly sophisticated in the way they’re mounting attacks on systems and what they’re doing with the data.”

A new application designed to access stolen credentials employs a trading interface that is used to qualify the breached accounts in terms of country of residence of the FTP server and Google page ranking of the compromised server, according to Finjan. Hackers then devise a cost of the credentials and sell them or adjust the attack on more prominent sites.

Falling for Tricks

Through the application, hackers could automatically inject IFrame (inline frame) tags into Web pages on the breached server.

“These are usually very convoluted schemes where, for example, the crooks may pretend to be legitimate companies and use that company information and address and e-mails to customers and employees,” Avivah Litan, a data security analyst with Gartner, told the E-Commerce Times. “As soon as the customer or employee clicks on it because they trust it, the crooks could steal their account information.”

Hackers set up different accounts and often launder money for even bigger accounts, Litan noted. “They have to take over business accounts to get users to fall for them. They take over user accounts and then set up mule accounts and move money from legitimate users to their mule accounts.”

Problem Is Growing

These are not isolated problems, she added. In fact, they’re becoming more common. “When a crook is setting up one of these scenarios, they need all kinds of information, including the kind Finjan discovered.”

“It all comes down to stronger user authentication and stronger credentialing,” Litan commented, noting that companies took a more lackadaisical approach toward data-security before — but no longer. “Up until now the cost has been higher than the benefits, but as more schemes work, they’re starting to target business accounts and banks are starting to get hit. You start putting better technology in. I’m seeing more demand for effective solutions.”