Threat Management, Incident Response, TDR

Researcher finds server with stolen FTP credentials

Updated on Friday, Oct. 3 at 6:04 p.m. EST

An Israeli researcher has uncovered a criminal server containing the FTP account credentials for nearly 100,000 legitimate websites across 86 countries, including the U.S. Postal Service and several universities here.

Ian Amit, director of security research at Aladdin Knowledge Systems, told on Friday that while researching the Neosploit crimeware tookit, he came across a massive deposit of website credentials.

"It opened up Pandora's Box in terms of realizing how criminals work and what data they were processing," he said.

The data – believed to belong to three criminal groups – is likely being used to allow criminals to compromise legitimate websites with malware developed by the Neosploit kit.

"The user would browse to the website," Amit explained. "He would get the content he was supposed to get. But in the background, the [malicious code] that resides on the content of the website would exploit a set of vulnerabilities on the user's browser, and once successful, it would [install] a trojan.

Alternatively, some of the credentials, such as those belonging to the postal service, led to non-web files, including Word documents, Amit said.

Of the 200,000 credentials the criminals were storing, the criminals deemed 107,000 to be valid and some 80,000 led to web content, he said. More than 60 percent were associated with web servers in Europe, but many U.S. organizations were victimized, including the University of Pennsylvania's Wharton School and the University of Southern California.

The fraudsters, who likely stole the credentials through phishing scams, covered their tracks by hiding behind a number of servers.

Amit said he has informed authorities in 86 nations, including US-CERT.

However, Amy Kudwa, a U.S. Department of Homeland Security spokeswoman, which oversees US-CERT, said the agency has no knowledge of the incident.

"We've not been contacted on this issue," she told on Friday.


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.