"German researchers have discovered more than
300 cybercrime servers full of stolen credentials on more than 170,000
people — and it is only the tip of the iceberg, they say.
Researchers at the University of Mannheim's Laboratory for Dependable Distributed Systems were able to access nearly 100 so-called "dropzone" machines, and say the actual number of these servers is much more.
"With our limited amount of machines, we found more than 300
dropzones, and we covered only two families of banking Trojans. In
total, there are presumably many more," says Thorsten Holz, one of the
researchers and a founder of the German Honeypot Project. The
researchers were studying what they call "impersonation attacks," where
victims' credentials are stolen so that the attacker can impersonate
them.
The researchers basically traced the steps of specific keyloggers and
banking Trojans between April and October 2008. One-third of the
machines infected by this data-stealing malware are in Russia or the
U.S., according to the researchers. Overall, the 170,000 victims whose
data they discovered in the dropzones were from 175 different
countries.
They discovered a total of 10,775 bank account credentials,
including passwords and bank account details that the victims would
enter during a regular transaction. They also found more than 5,600
credit card accounts and tens of thousands of passwords for various
sites." – Darkreading
From the paper
"We study an active underground economy that trades stolen digital credentials.We present a method
with which it is possible to directly analyze the amount of data harvested through these types of attacks
in a highly automated fashion. We exemplify this method by applying it to keylogger-based stealing
of
credentials via dropzones, anonymous collection points of illicitly
collected data. Based on the collected data from more than 70
dropzones, we present the first empirical study of this phenomenon,
giving many first-hand details about the attacks that were observed during a seven-month period between
April and October 2008. This helps us better understand the nature and size of these quickly
emerging underground marketplaces."
Paper Link: http://honeyblog.org/junkyard/reports/impersonation-attacks-TR.pdf
http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=212501236
