[LINK] Hundreds of Stolen Data Dumps Found
Bernard Robertson-Dunn
brd at iimetro.com.au
Tue Dec 23 09:59:41 AEDT 2008
<brd>
See the original website for diagrams.
Stolen financial data is a greater threat than potential access by minors
to inappropriate content. Discuss.
</brd>
Hundreds of Stolen Data Dumps Found
Washington Post
http://voices.washingtonpost.com/securityfix/2008/12/hundreds_of_stolen_data_dumps.html?wprss=rss_blog
A comprehensive new study that peers into huge troves of financial data
stolen by cyber thieves confirms what experts have surmised from looking
at much smaller, isolated caches of digital loot: That criminals can
make hundreds, even thousands, of dollars a day selling data stolen with
the help of widely available software toolkits.
Recent reports by security firms Finjan, RSA, SecureWorks and Symantec
have shown that stolen identities, bank accounts and credit card numbers
are sold in bulk every day in shadowy online forums, often for pennies
on the dollar. In its analysis, Symantec found in 2007 that the going
rate for the keys to assuming someone else's identity was between $14
and $18 per victim.
Those reports either presented conclusions based on examining a single
cache of stolen data, or by observations based on watching transactions
between cyber thieves. But a report released today by researchers at the
University of Mannheim, Germany, offers a disturbing glimpse at the
sheer abundance of this stolen data.
The researchers used "honeynets," or distributed network of dummy
computers that were set up to be hacked, so that they could gather
intelligence about the attack patterns and methods used by cyber
criminals. The decoy systems were purposefully infected with data
stealing Trojans from two different families of keystroke logging
programs known as Zeus (also known as "Zbot" and "Wsnpoem") and
"Nethell" (a.k.a. "Limbo").
nethelldrop.jpg
These two malware families are the product of so-called "exploit kits"
that are sold in underground markets for a few hundred to a few thousand
dollars a pop. The kits include soup-to-nuts scripts for setting up Web
sites used to foist password-stealing malware on visitors, as well as
programs that help the buyer set up back-end systems for receiving the
stolen data, variously known as "blind drops," "drop sites", "dead
drops" and "drop zones," (a screen shot of a drop site created by
Nethell is pictured to the left).
The German research team found at least 300 such drop sites created by
Zeus and Nethell keylog kits, and were able to access 70 of them using
either security vulnerabilities in the software kits themselves or
because the criminals operating the drop sites had failed to properly
secure them.
Their findings, which drew from stolen data harvested from these drop
zones between April and October 2008, were staggering: 33 gigabytes
worth of purloined data from more than 170,000 victims. Included in
those troves were more than 10,700 online bank account credentials,
149,000 stolen e-mail credentials, 5,682 credit card numbers, and 5,712
sets of eBay credentials.
Using figures from Symantec's 2007 study (see thumbnail at right) on the
prices that these credentials can fetch at e-crime bazaars, the
researchers estimate that a single cyber crook using one of these kits
could make a tidy daily income.
"We found that criminals can easily make a few hundred to a few thousand
bucks a day from selling this stuff," said Thorsten Holz, a Ph.D.
student at the Laboratory for Dependable Distributed Systems at the
University of Mannheim, Germany, a founder of the Germany Honeynet
Project. "We weren't able to access 230 of the drop sites we found, so
the real number of victims and stolen credentials is probably many times
what we were able to see."
And there are dozens of other exploit kits in circulation today, with
names like Silent Banker, Bancos, and Neosploit.
limbodrop.jpg
Holz said the researchers have been feeding the stolen data to security
experts at AusCERT, the Australian Computer Emergency Response Team,
which he said has an automated system called "Lumberjack," designed to
notify financial institutions of compromised accounts. AusCERT could not
be immediately reached for comment.
Interestingly, the researchers saw their access to the drop sites
diminish over the seven month period of monitoring these drop sites. In
some cases, the criminals apparently got wise that someone was accessing
their databases, but in other cases, the curators of these exploit kits
actually shipped updates that fixed vulnerabilities the researchers were
using to peek inside the databases.
"The new versions for the Web exploit kits fix vulnerabilities in the
exploit code," Holz said. "The [exploit kit makers] must have noticed
there were some weaknesses in their code, and issued updates to fix them."
A copy of the report is available at this link here.
<http://honeyblog.org/archives/9-Banking-Trojans.html>
--
Regards
brd
Bernard Robertson-Dunn
Canberra Australia
brd at iimetro.com.au
More information about the Link
mailing list