3 min read

For Sale: Passwords To Fortune 500's Servers

Cybercriminals are paying premiums based on compromised sites' Google PageRank to buy thousands of login names and FTP credentials, a security software company reports.
More than 8,700 FTP login names and passwords, some of which grant access to Fortune 500 servers, are being sold online through a sort of eBay for stolen data, a security company revealed this week.

Prices vary in relation to the Google PageRank of the compromised sites. The customers are cybercriminals who seek access to trusted sites in order to launch malware or hide files.

Finjan, a computer security company based in Israel, made the discovery and elaborates on its findings in its February Malicious Page of the Month report.

Finjan CTO Yuval Ben-Itzhak describes the online crime database application the company found as "the holy grail of hackers." It contains the "hacked FTP credentials of very large companies, some of them in the Fortune 500." More than 100 stolen login names are associated with one of the 500 most visited Web sites on the Internet, as measured by

"There is a whole industry of buying and selling all these stolen credentials," said Ben-Itzhak. "It opens for us a new window to see how they really manage to infect all these companies and legitimate Web sites very quickly."

Ben-Itzhak declined to be more specific to avoid embarrassing the affected organizations but said that one of set of FTP credentials found granted access to a state court Web site. A state court site appears on p. 14 of the Finjan report, but the URLs in the printed screen shot have been obscured to prevent identification.

However, a Google search for a conspicuous portion of one of the obscured URLs suggests that the featured site belongs to California's Mono County Superior Court. (The Great Seal of the State of California can be easily identified on the Web site screen shot in the report despite an effort to blur it.)

A spokesperson for Finjan said the company could not name the compromised organizations it had identified for legal reasons.

Robert Dennis, the executive officer of the Mono County Superior Court, said he is not aware of the Finjan report or of any current problem with the court's Web site. However, he said that in January he had moved the court's Web site to a new ISP, and from a .gov domain to a .org domain, and that there had been occasional security issues in the past with the court's old ISP and site. The semi-obscured court URL in the Finjan report shows a .gov address.

"When we were with the prior host, we would occasionally have a problem where someone would hack the site," Dennis said, noting that it might have happened two or three times over the course of a year. "Somebody was adding code to our home page."

Dennis declined to name the court's old ISP, a large hosting provider that had served the court for eight years, but said a technical contact there had told him about difficulties keeping a specific server clean. "The guy said they'd clean it out and [the malware] would come back," he said.

The countries of origin for the stolen FTP credentials include the United States (2,621), Russia (1,247), Australia (392), and various Asia-Pacific Region countries (354), to name a few.

The Finjan report also says that the creators of crimeware toolkits have adopted the software-as-a-service model. It describes Neosploit 2.0, a Web-based hacking application that provides detailed infection statistics and other attack management tools. The result, as Ben-Itzhak describes it, is push-button cybercrime.