Hacker-controlled server discovered that houses 1.4GB of stolen data

May 8th, 2008 Source: ConnectItNews.com

Finjan Inc., makers of secure web gateway products, has discovered a server controlled by hackers that contained more than 1.4 gigabytes of business and personal data stolen from infected PCs.

Finjan's Malicious Code Research Center (MCRC) detected a Crimeserver which was used as a command and control for the Crimeware that was executed on infected PCs. This Crimeserver was also used as the "drop site" for private information being harvested by that Crimeware.

The server was located in Malaysia but contained data from all around the world including the U.S., Germany, France India, Great Britain, Spain, Canada, Italy, Netherlands and Turkey. The server was up for only 3 weeks but in that time was able to collect 1.4 gigabytes of data that included business-related e-mails and data on the medical history of patients.

The domain itself was registered to a generic entity, while a Russian individual was listed as the registrant. The registration didnt provide any details on who really operated it or for what purpose.

As well, the server had gone through some changes in its hosting location, quite likely to prevent it from being closed down by the ISP/hosting provider in case of complaints

"[The server might be down] but the criminal is still out there and probably will do this again," said Yuval Ben-Itzhak, CTO of Finjan.

He added that the information found on the server was unprotected and the server wasn't the job of a professional hacker but one that used an off-the-shelf software package to do this crime.

The data consisted of 5,388 unique log files. Both e-mail communications and web-related data were among them.

For example, the server managed to capture Outlook accounts containing e-mail communication that included data in personal and network folders and business contacts. These communications also exposed this company's shipment information, 401(k) plans and invoices.

The compromised data came from all around the world and contained information from individuals, businesses, as well as renowned organizations, including healthcare providers.

Ben-Itzhak believed that these people were infected by visiting compromised websites.

"Their web browser is being compromised by using vulnerabilities found in the browser and this is how the crimeware find its way to install and start to run," he added.

The best way to protect ones information from getting their data leaked onto these Crimeservers, said Ben-Itzhak, is to do proactive security by utilizing active real-time content inspection technology.