[LINK] Hundreds of Stolen Data Dumps Found

Bernard Robertson-Dunn brd at iimetro.com.au
Tue Dec 23 09:59:41 AEDT 2008 

<brd>
See the original website for diagrams.

Stolen financial data is a greater threat than potential access by minors
to inappropriate content. Discuss.

</brd>

Hundreds of Stolen Data Dumps Found
Washington Post
http://voices.washingtonpost.com/securityfix/2008/12/hundreds_of_stolen_data_dumps.html?wprss=rss_blog

A comprehensive new study that peers into huge troves of financial data 
stolen by cyber thieves confirms what experts have surmised from looking 
at much smaller, isolated caches of digital loot: That criminals can 
make hundreds, even thousands, of dollars a day selling data stolen with 
the help of widely available software toolkits.

Recent reports by security firms Finjan, RSA, SecureWorks and Symantec 
have shown that stolen identities, bank accounts and credit card numbers 
are sold in bulk every day in shadowy online forums, often for pennies 
on the dollar. In its analysis, Symantec found in 2007 that the going 
rate for the keys to assuming someone else's identity was between $14 
and $18 per victim.

Those reports either presented conclusions based on examining a single 
cache of stolen data, or by observations based on watching transactions 
between cyber thieves. But a report released today by researchers at the 
University of Mannheim, Germany, offers a disturbing glimpse at the 
sheer abundance of this stolen data.

The researchers used "honeynets," or distributed network of dummy 
computers that were set up to be hacked, so that they could gather 
intelligence about the attack patterns and methods used by cyber 
criminals. The decoy systems were purposefully infected with data 
stealing Trojans from two different families of keystroke logging 
programs known as Zeus (also known as "Zbot" and "Wsnpoem") and 
"Nethell" (a.k.a. "Limbo").

nethelldrop.jpg

These two malware families are the product of so-called "exploit kits" 
that are sold in underground markets for a few hundred to a few thousand 
dollars a pop. The kits include soup-to-nuts scripts for setting up Web 
sites used to foist password-stealing malware on visitors, as well as 
programs that help the buyer set up back-end systems for receiving the 
stolen data, variously known as "blind drops," "drop sites", "dead 
drops" and "drop zones," (a screen shot of a drop site created by 
Nethell is pictured to the left).

The German research team found at least 300 such drop sites created by 
Zeus and Nethell keylog kits, and were able to access 70 of them using 
either security vulnerabilities in the software kits themselves or 
because the criminals operating the drop sites had failed to properly 
secure them.

Their findings, which drew from stolen data harvested from these drop 
zones between April and October 2008, were staggering: 33 gigabytes 
worth of purloined data from more than 170,000 victims. Included in 
those troves were more than 10,700 online bank account credentials, 
149,000 stolen e-mail credentials, 5,682 credit card numbers, and 5,712 
sets of eBay credentials.

Using figures from Symantec's 2007 study (see thumbnail at right) on the 
prices that these credentials can fetch at e-crime bazaars, the 
researchers estimate that a single cyber crook using one of these kits 
could make a tidy daily income.

"We found that criminals can easily make a few hundred to a few thousand 
bucks a day from selling this stuff," said Thorsten Holz, a Ph.D. 
student at the Laboratory for Dependable Distributed Systems at the 
University of Mannheim, Germany, a founder of the Germany Honeynet 
Project. "We weren't able to access 230 of the drop sites we found, so 
the real number of victims and stolen credentials is probably many times 
what we were able to see."

And there are dozens of other exploit kits in circulation today, with 
names like Silent Banker, Bancos, and Neosploit.

limbodrop.jpg

Holz said the researchers have been feeding the stolen data to security 
experts at AusCERT, the Australian Computer Emergency Response Team, 
which he said has an automated system called "Lumberjack," designed to 
notify financial institutions of compromised accounts. AusCERT could not 
be immediately reached for comment.

Interestingly, the researchers saw their access to the drop sites 
diminish over the seven month period of monitoring these drop sites. In 
some cases, the criminals apparently got wise that someone was accessing 
their databases, but in other cases, the curators of these exploit kits 
actually shipped updates that fixed vulnerabilities the researchers were 
using to peek inside the databases.

"The new versions for the Web exploit kits fix vulnerabilities in the 
exploit code," Holz said. "The [exploit kit makers] must have noticed 
there were some weaknesses in their code, and issued updates to fix them."

A copy of the report is available at this link here. 
<http://honeyblog.org/archives/9-Banking-Trojans.html>

-- 
 
Regards
brd

Bernard Robertson-Dunn
Canberra Australia
brd at iimetro.com.au

More information about the Link mailing list