March 16, 2009

Researchers Discover Hacker Database

Researchers from Prevx, a U.K. based online security firm, recently discovered a data trove used to store stolen information from 160,000 infected computers.

The discovery offers a case study on how much information, and what types of data criminals are stealing from hacked computers.

The trove of data found by Prevx was found operating on a server in the Ukraine and was still online nearly a month after law-enforcement officials were made aware of the situation. 

The Ukrainian site was stealing data from up to 5,000 new computers a day.

The stolen data included items like emails, Facebook and banking passwords, along with more dangerous information like Social Security numbers, and bank account information.

Often these caches of stolen information are stored on heavily protected servers.  Prevx's researchers were able to discover the Ukrainian cache due to its poor security encryption.

The discovery shows how sloppy cyber criminals can be when using armies of virus-infected computers called botnets to steal information.

Criminals were able to log users' internet sessions in great detail.

One 22-year-old from Southern California was tracked registering a domain name, changing his e-mail password, and ordering a meal from Pizza Hut, all in one online session. 

The criminals were able to steal his credit card number, telephone number, address, and passwords, although it doesn't appear the criminals have used his information.

Some criminals are able to infect computers considered to be gold mines for sensitive data, such as bank computers holding customer details, or government computers.

"This is giving criminals the keys to the castle," said Jacques Erasmus, Prevx's director of malware research. "Once they're into this system, it might not seem at this point like it's the biggest data heist ever, but this is how they get into a network. This is their game - they do this every day."

Criminals use botnets to attack small computers first, which then allows them to work their way onto computers containing more sensitive data.

Researchers who find these stolen data caches often work to get service providers to deactivate servers before criminals are able to retrieve the data. 

Notifying victims proves to be too time-consuming and difficult to do efficiently.

Prevx did notify the Ukrainian site's Internet provider, U.S. and U.K. authorities, and Metro City Bank, the bank who owned one of the infected computers.

Yoon-Kee Hong, a 22-year-old college student in Georgia who had recently signed up for an account with Metro City Bank was informed of the breach by The Associated Press.

"I cannot trust them any more," he said. "They're not doing what they're supposed to do. They didn't even notify me. It's like they're trying to hide it from their customers."

He later returned to the bank after being offered a new account with better security promises.

Metro City Bank said they are notifying customers and investigating the breach.

These stolen-data troves are becoming more common as criminals find easier ways to get involved with cyber-theft.

Criminals can often purchase top-of-the-line viruses for under $1,000 allowing them to begin stealing troves of data.

Joe Stewart, a botnet expert with SecureWorks Inc., said he helped shut down a website similar to the Ukrainian command center last year which had infected more than 378,000 machines and had stolen over 460,000 usernames and passwords.

Many other botnets will steal information for short periods of time, pull up their stakes once they are detected, and start up again at a later time.

"The level of amateurness speaks to how widespread it is," Stewart told the Associated Press.

"Literally anybody with a little bit of computer knowledge at all, if they have the criminal bent, can get access to one of these Trojans and get it out there and start stealing people's data."


On the Net: