Wednesday, May 07, 2008

Stolen information from 40 financial and medical institutions discovered on rogue server

Once in awhile, I speculate that stolen information is a lot more valuable to the criminal element before it becomes apparent that it's been stolen. I've also speculated aloud that there is probably a lot more stolen information out there than we are aware of. The good folks at Finjan are well on their way to substantiating this speculation.

Yesterday, they announced the following on their malicious page of the month:

While we were examining malicious code, we came across a domain which was being used as a command and control for the Crimeware that was executed on attacked machines. The domain was also used as the “drop site” for private information being harvested by that Crimeware.

When we further examined this server, we found the stolen data left unprotected and available for anyone on the web (i.e. no access restrictions, no encryption whatsoever).

The server that we analyzed contained more than 1.4Gb of data (both business and personal related) collected from infected PCs, which consisted of 5,388 unique log files, that were traced back to 5,878 distinct IP addresses. Both email communications and web related data were found.
The information discovered was from 40 unnamed financial and medical institutions from several different continents. The server used to store this information was being moved frequently, but if found, anyone could access it.

They made the observation that last year, according to what statistics are available, 8.5 million records were compromised. One of these statistics, obtained from IC3 states that 20 percent of the 206,884 cases (roughly 40,000) were due to computer hacking. Finjan points out that on this one server, they discovered approximately 5,000 records.

I’ll let the reader do their own math, but if this is true there is probably a lot of unknown hacking activity happening in the wild.

Please note that all the kind people compiling statistics only know what is reported to them, and some of them have been very vocal in pointing this out. My personal guess is that there is so much stolen information out there that when any individual case is investigated, it’s almost impossible to do more than speculate, exactly where the point of compromise occurred.

Besides that, hackers are unlikely to want to reveal where they are stealing all their information from. Once revealed, it’s harder to use and not worth as much money.

The information on the server included compromised medical information, online banking information (including passwords) and complete logs of payment card (debit/credit) card transactions, including CVV2 information and the miscellaneous “extras.” This all occurred on “supposedly” secure sites.

I found this interesting because the merchants have been under fire for becoming compliant with PCI data security standards in light of a few highly publicized data breaches. Of course in the recent Hannaford case, they were compromised and had been certified as being PCI compliant. PCI data security procedures are the payment card industries own standards for protecting information.


Based on these findings, hackers don’t have to compromise a merchant to steal everything they need to commit financial crimes and it’s pretty obvious that financial institutions are being compromised, also.

Also found on the server was a lot of business proprietary information harvested from a lot of internal e-mail accounts. In the past year or so there seems to have been a lot of campaigns to obtain other than financial information from businesses. The clear intent in this activity is corporate espionage (my speculation).

Finjan reports that this particular theft campaign was made possible with a do-it-yourself (DIY) crimeware kit called the AdPack Toolkit. They also reported that this kit gives the user command and control functions, enabling them to execute admin functions with the illicit software.

Finjan is not revealing (they never do) exactly which institutions were compromised. Even though they are not revealing names, they did report the activity to law enforcement and the institutions involved.