Skip to main content

More Than 8,700 FTP Server Credentials in the Hands of Hackers

In its latest Malicious Page of the Month report, Finjan reveals the commercialization of stolen FTP server credentials, owned by legitimate companies, by hackers who are using the NeoSploit Crimeware toolkit.

Finjan Inc announced it has uncovered a database containing more than 8,700 harvested FTP account credentials, including username, password and server address - in the hands of hackers.

These stolen credentials enable criminals to compromise servers and automatically inject crimeware to infect users visiting them.

Among those stolen accounts are those of Fortune-level global companies in a wide range of industries including manufacturing, telecom, media, online retail, IT, as well as government agencies.

The stolen FTP accounts include some of the world’s top 100 domains as ranked by Alexa.com.

Finjan’s Malicious Code Research Center (MCRC) has detailed the workings of an insidious new application, especially designed to abuse and trade stolen FTP account credentials of legitimate companies around the world.

A trading interface is used to qualify the stolen accounts in terms of country of residence of the FTP server and Google page ranking of the compromised server.

This information enables the cybercriminals to devise cost for the compromised FTP credentials for resale to other cybercriminals or to adjust the attack on more prominent sites. The trading application also allows the cybercriminal to manage FTP credential information to automatically inject IFRAME tags to web pages on the compromised server.

“Software-as-a-Service has been evolving for sometime, but until now, it has been applied only to legitimate applications.

With this new trading application, cybercriminals have an instant ‘solution’ to their ‘problem’ of gaining access to FTP credentials and thus infecting both the legitimate websites and its unsuspecting visitors.

All of this can be easily achieved with just one push of a button,” said Yuval Ben-Itzhak, CTO of Finjan.

Finjan invites IT security personnel from legitimate organizations to inquire if their FTP servers’ credentials are among those identified as stolen. Finjan can be contacted at http://www.finjan.com/contactFTP (opens in new tab)

According to Finjan, the NeoSploit 2 toolkit marks a serious escalation of Crimeware potential, since it uses the Software-as-a-Service business model.

Both the NeoSploit Version 2 toolkit and the application were detected using Finjan’s patented real-time code inspection technology while diagnosing users’ web traffic.

The attack is described in detail in Finjan’s latest “Malicious Page of the Month” report released today.

Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website building and web hosting when DHTML and frames were en vogue and started writing about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium. Following an eight-year stint at ITProPortal.com where he discovered the joys of global tech-fests, Désiré now heads up TechRadar Pro. Previously he was a freelance technology journalist at Incisive Media, Breakthrough Publishing and Vnunet, and Business Magazine. He also launched and hosted the first Tech Radio Show on Radio Plus.