Confidential records from more than 40 global businesses have were freely available to anyone on the web after they were stolen and stored on an unprotected server by a Russian cyber thief, a security company reported today.
Finjan, which specialises in secure web gateway products, found more than 5,000 unique IP addresses and 1.4 gigabytes of business and personal data in 5,388 unique log files hosted unprotected on a server used for criminal activity. The "crimeserver" hosts an application that compromises corporate networks and web servers to steal data.
Yuval Ben-Itzhak, CTO of Finjan, said it was likely that the thief had bought the application from a malware vendor, loaded it onto a host server, and went into crime.
The log files came from the US (571), Germany (621), France (322), India (308), Great Britain (232), Spain (150), Canada (86), Italy (58), the Netherlands (46), and Turkey (1,037), among others.
The server, most recently hosted in Malaysia and registered to a Russian, was first registered on 15 October last year. It changed IP addresses four times between 13 January and 6 April, probably to make it harder for law officers to detect and close it down, Ben-Itzakh said.
Ben-Itzahak said the crimeware targeted e-mail addresses, suggesting that the motive was to develop precisely targeted attacks and to capture confidential and proprietary information from e-mails that could be converted to cash in the underground market.
"Some of the data we found from a public company could have been used to speculate in the shares of that company," he said.
Other data found in the log files included patient health records stolen from a doctor's PC, bank account numbers and log-in details, confidential commercial correspondence, and complete Outlook accounts.
Ben-Itzakh said signature-based protection tools and URL filters were useless against malware of this type.
Infosecurity 2008 >>
Essential guide to IT security >>