Logins for 8,700 FTP servers found on sale

February 29th, 2008

By John E. Dunn
27 February 2008

Criminals have assembled a huge database of hacked FTP server logins belonging to some of the worlds leading companies, a security company has revealed.

Finjan said it had stumbled upon a database containing account usernames, passwords and server addresses for a staggering 8,700 FTP servers, many of which were being used by US Fortune 100-level enterprises.

The hacked servers could be used to distribute crimeware by injecting iframe tags into any webpage stored on the compromised FTP servers. Indeed the server accounts were themselves being traded by a web application able to rank and price them according to their Google page rank for re-sale to other criminals.

The company found the database while examining what appears to be a sophisticated Russian crimeware hub built using a newer version of the Neosploit crimeware toolkit, sophisticated enough to offers its criminal users a SaaS (software as a service) interface for carrying out attacks.

The company didnt name the domains involved for obvious reasons, but the range of sectors and countries reads like a whos who of big business. FTP details for telecoms, media, online retail, and government agencies were all present, across every leading economy and beyond.

Using the Alexa.com domain ranking, Finjan found 10 of the top 100 domains in the database, 100 of the top 500 domains, and 50 of those between 500 and 1,000.

Breaking these down by location, 2,621 were in the US, 1,247 in Russia, 392 in Australia, 354 in Asia/Pacific. The rest were covered Eastern Europe, with only a handful in western European countries such as Germany and the UK, which accounted for 80 and 78, respectively.

“With this new trading application, cyber-criminals have an instant ‘solution’ to their problem of gaining access to FTP credentials and thus infecting both the legitimate websites and unsuspecting visitors, said Finjans Yuval-Ben Itzhak.



I could have used substitution here to make this an article about ID cards and how ‘criminals’ are going to create tools to trade in the ‘identities’ of people, but this article was just too juicy as it stood.

Back in the day there were the forerunners of these tools, like ‘cc master’ (at least thats what I think it was called; it was something around on the old [1994/5] BBSes that you could play with if you wanted to get your machine virus’d). Now of course, they are running everything on the internets as services, like bugmenot, only much more serious.

The same thing is going to happen with ID details. Underground supermarkets are going to be created where you can buy the ‘identity’ of just the sort of person you need to commit a crime, and this will include fingerprints that will be used in software that uses playback exploits to fool the back ends that are being attacked. Even without that, simple Social Engineering will be made possible by collecting and studying the detailed identity records of some sheep, that can be inserted into a script for reading out, and all of this will be done in a slick service that you pay to access.

Imagine, you pay a subscription to a service that generates scripts for you to read over the telephone. You log in. You select your gender and accent type. The system then generates some scripts for you to read, and sets up VOIP calls for you to activate with a click of your mouse. The scripts are filled with the personal details of someone (bought on a DVD) and the call is made to their bank or building society, and the script provides you with a spiel that lets you transfer money to your own account.

You are paying for the right to use these identities and the related generated scripts; if you have success or not thats down to your mad skillz as a social engineer. Recommended Reading, ‘The Art of Deception’ by Kevin D. Mitnik.

The more scripts you read and the better you get at it, the more money you collect. Snarfed profiles are charged by how many people have used them; fresh, unused profiles are the most expensive (like fresh leads; they are for closers). Identities that have been passed around alot are nearly worthless, so you can read scripts generated for these in their thousands for only a few euros.

“I’m here from downtown, and I’m here on a mission of mercy….”


Leave a Reply

You must be logged in to post a comment.