Attackers Harvest FTP Credentials With New Crimeware Toolkit
San Jose-based Finjan, a security company specializing in Web gateway solutions, announced today that it uncovered a database containing more than 8,700 harvested FTP account credentials, including usernames, passwords and server addresses, spread through a malicious toolkit, which cyber criminals use to harvest the information.
The information was available for blackmarket trade, along with the NeoSploit version 2 crimeware toolkit, a malicious application specifically designed to abuse and trade stolen FTP account credentials from numerous legitimate companies. The malware is subsequently distributed to other criminals who use the malicious code on high traffic Web sites for their own financial gain.
The findings were discovered by researchers at Finjan's Malicious Code Research Center with the company's Web analysis tool and published in its monthly report. The analysis showed that a standalone application was found at the backend of the malicious server, which enabled behind-the-scene information trading.
The whole package, which includes the FTP server credentials as well as the Neosploit malicious toolkit, acts as Software as a Service for criminals because it supports multiple users, Finjan researchers say. Attackers use a sophisticated trading interface to classify the stolen accounts by the FTP server's country of origin and the compromised site's Google page ranking. This information enables attackers to determine cost of the compromised FTP credentials for resale to cybercriminals or to leverage themselves in an attack against the more prominent Web sites. Finjan researchers believe that the amount of money that criminals pay for the malware is minimal, likely in the neighborhood of $100.
Attackers use the credentials to infiltrate corporate Web servers in order inject crimeware onto the legitimate servers of public companies, government agencies and financial institutions to steal critical information such as pass codes, bank account and social security numbers.
Researchers say that malware bought and sold over the black market has been detected on some of the world's top 100 domains, ranked by Alexa.com. Among the stolen accounts are those belonging to Fortune-level global companies in a wide range of industries, including manufacturing, telecom, media, online retail and IT, as well as numerous government agencies. So far, more than 2,300 of the FTP server credentials are from the U.S., a Finjan spokesperson said.
Finjan execs say that the SaaS model, mimicked by the NeoSploit toolkit, significantly opens up new and increased crimeware possibilities for attackers.
"Software-as-a-Service has been evolving for sometime, but until now, it has been applied only to legitimate applications," said Yuval Ben-Itzhak, Finjan chief technology officer, in a written statement. "With this new trading application, cybercriminals have an instant 'solution' to their 'problem' of gaining access to FTP credentials and thus infecting both the legitimate Web sites and its unsuspecting visitors. All of this can be easily achieved with just one push of a button."