Commercialization of Stolen Data

By Stephanie Jordan
in

While research shows that the majority of data loss is due to friendly hands mishandling data, there is a market for intentionally stolen data. In February, Finjan Inc., reported it had uncovered a database containing more than 8,700 harvested FTP account credential—including username, password and server address—in the hands of hackers. “The main goal of the cyber criminal today is to access data they can sell online,” says Yuval Ben-Itzhak, CTO for Finjan. “Today, we do not see the types of viruses that used to break PCs and delete files. Instead, we find malicious content that tries to install Trojan horses, keyloggers, etc., with a focus to collect passwords, steal identities, take documents from computers and the like.” The FTP credentials were stolen by just such means. Finjan believes that data protection must also be done at the inbound layer. “We think that it is too late, to be scanning for outbound information, after a Trojan has started trying to send information out of the network.”

Those stolen credentials came from over 3,000 very large U.S. companies. Once the data is taken, there are auctions on the Web for stolen information, including social security numbers, credit card numbers, and documents. “You can find online auctions for all of these,” says Ben-Itzhak. “We have evidence of auctions that broadcast what is for sale.” Often the hacker may not even take the time to review what he has stolen, he just sells it. It might have details about a product launch or financial details. How much is this data selling for? “Perhaps as little as US$100,” replies Ben-Itzhak. “Just a short time ago documents that had sold for US$200 are now down to US$50. It really just follows economics, the demand and pricing game that we use in our normal life, is the same for this market.” So, according to Ben-Itzhak, if there are many people offering stolen credit card numbers, the price goes down. If there are only a few, then it goes up.

Catch Me If You Can

If the auctions are known, then why can’t they be stopped? “When we track, we can see them coming from Europe, Eastern Europe, Asia, and even sometimes from the U.S. They really benefit that the law is local, but the crime is international. They can place a server in one country, have one in another country and do the crime in a third country. This makes it very difficult to shut down,” explains Ben-Itzhak. One of the key contributing factors to this growth, points out Ben-Itzhak, is that everything is digital. This connectedness is what enables the criminals to collect the information.

Businesses need to be wary of not only what is leaking out due to malicious codes, but also that they themselves are not infecting others. “Trusted servers in trusted companies are serving malicious codes,” says Ben-Itzhak. “We see Web 2.0 companies and other popular sites, like the Bank of India that was serving 20 million users.” This crimeware only appears where people are. “It is not happening as much in Russia or China, it is happening at sites where people go to be connected to their friends, or get videos, or do business. These are becoming the main target for hackers to compromise the server and include a malicious code, and unlike in the past, it is not easily detected. Everything looks exactly the same.”

Are Organizations Aware of the Threat?

Ben-Itzhak sees the awareness of these tactics growing. “As of today, I would say 30 or 40 percent are prepared.” Back when viruses made themselves known, organizations quickly initiated countermeasures. “With this malicious code, it is actually the opposite,” says Ben-Itzhak. It installs purposefully not to be noticed. This means enterprises that have been slower to realize the threat may require an additional layer of protection. “The typical anti-virus solution requires a change in order to protect from this new kind of crimeware,” notes Ben-Itzhak. “Most of what we are seeing easily passes through today’s anti-virus technologies.”

Published April 1, 2008