Network News

X My Profile
View More Activity

Hundreds of Stolen Data Dumps Found

A comprehensive new study that peers into huge troves of financial data stolen by cyber thieves confirms what experts have surmised from looking at much smaller, isolated caches of digital loot: That criminals can make hundreds, even thousands, of dollars a day selling data stolen with the help of widely available software toolkits.

Recent reports by security firms Finjan, RSA, SecureWorks and Symantec have shown that stolen identities, bank accounts and credit card numbers are sold in bulk every day in shadowy online forums, often for pennies on the dollar. In its analysis, Symantec found in 2007 that the going rate for the keys to assuming someone else's identity was between $14 and $18 per victim.

Those reports either presented conclusions based on examining a single cache of stolen data, or by observations based on watching transactions between cyber thieves. But a report released today by researchers at the University of Mannheim, Germany, offers a disturbing glimpse at the sheer abundance of this stolen data.

The researchers used "honeynets," or distributed network of dummy computers that were set up to be hacked, so that they could gather intelligence about the attack patterns and methods used by cyber criminals. The decoy systems were purposefully infected with data stealing Trojans from two different families of keystroke logging programs known as Zeus (also known as "Zbot" and "Wsnpoem") and "Nethell" (a.k.a. "Limbo").

nethelldrop.jpg

These two malware families are the product of so-called "exploit kits" that are sold in underground markets for a few hundred to a few thousand dollars a pop. The kits include soup-to-nuts scripts for setting up Web sites used to foist password-stealing malware on visitors, as well as programs that help the buyer set up back-end systems for receiving the stolen data, variously known as "blind drops," "drop sites", "dead drops" and "drop zones," (a screen shot of a drop site created by Nethell is pictured to the left).

The German research team found at least 300 such drop sites created by Zeus and Nethell keylog kits, and were able to access 70 of them using either security vulnerabilities in the software kits themselves or because the criminals operating the drop sites had failed to properly secure them.

Their findings, which drew from stolen data harvested from these drop zones between April and October 2008, were staggering: 33 gigabytes worth of purloined data from more than 170,000 victims. Included in those troves were more than 10,700 online bank account credentials, 149,000 stolen e-mail credentials, 5,682 credit card numbers, and 5,712 sets of eBay credentials.

Using figures from Symantec's 2007 study (see thumbnail at right) on the prices that these credentials can fetch at e-crime bazaars, the researchers estimate that a single cyber crook using one of these kits could make a tidy daily income.

"We found that criminals can easily make a few hundred to a few thousand bucks a day from selling this stuff," said Thorsten Holz, a Ph.D. student at the Laboratory for Dependable Distributed Systems at the University of Mannheim, Germany, a founder of the Germany Honeynet Project. "We weren't able to access 230 of the drop sites we found, so the real number of victims and stolen credentials is probably many times what we were able to see."

And there are dozens of other exploit kits in circulation today, with names like Silent Banker, Bancos, and Neosploit.

limbodrop.jpg

Holz said the researchers have been feeding the stolen data to security experts at AusCERT, the Australian Computer Emergency Response Team, which he said has an automated system called "Lumberjack," designed to notify financial institutions of compromised accounts. AusCERT could not be immediately reached for comment.

Interestingly, the researchers saw their access to the drop sites diminish over the seven month period of monitoring these drop sites. In some cases, the criminals apparently got wise that someone was accessing their databases, but in other cases, the curators of these exploit kits actually shipped updates that fixed vulnerabilities the researchers were using to peek inside the databases.

"The new versions for the Web exploit kits fix vulnerabilities in the exploit code," Holz said. "The [exploit kit makers] must have noticed there were some weaknesses in their code, and issued updates to fix them."

A copy of the report is available at this link here.

Update, Dec. 19, 10:43 a.m.: Changed the link to the report, as the site was using a self-signed certificate, some Firefox 3 users had trouble viewing it.

By Brian Krebs  |  December 18, 2008; 1:29 PM ET
Categories:  Fraud , Safety Tips , Web Fraud 2.0  | Tags: zeus  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Firefox 2 Users Will Get No More Security Updates
Next: PC Got a Virus? Consider Getting Help Offline

Comments

Steve -- Unfortunately your link is blocked by my software as 'using an invalid security certificate.'

Posted by: brucerealtor@gmail.com | December 19, 2008 3:13 AM | Report abuse

Sorry -- Brian, not Steve. Guess its late. LOL

Posted by: brucerealtor@gmail.com | December 19, 2008 3:14 AM | Report abuse

It's continually amazing, and sorta depressing, that we have a pretty darn good international network of organizations monitoring the activities of these scumbags, but no real effective international network that can do anything about it!

Posted by: peterpallesen | December 22, 2008 9:46 AM | Report abuse

@PeterPallesen -- Did you see this section of the above blog post? :

Holz said the researchers have been feeding the stolen data to security experts at AusCERT, the Australian Computer Emergency Response Team, which he said has an automated system called "Lumberjack," designed to notify financial institutions of compromised accounts. AusCERT could not be immediately reached for comment.

Posted by: BTKrebs | December 22, 2008 10:33 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company