Massive fraud server exposed

A server discovered in June contained 50GB of stolen user account and financial details, including 9,000 bank and credit-card account credentials and 463,582 user account passwords, according to a report published at the Black Hat conference last week.

The server appeared to have been the central control point for Coreflood, a password-stealing Trojan and botnet that had been quietly infiltrating corporate networks since 2001, according to Joe Stewart, director of malware research for security firm SecureWorks, which co-operated with Spamhaus in shutting down the server.

In a presentation at Black Hat in Las Vegas last week, Stewart said an analysis of scripts left behind on the server indicated that the 50GB of material represented about one-quarter of the details that had been harvested, the rest having been deleted.

Coreflood has been known to security researchers for some time, but the broad scope of its operations has only come to light in recent weeks. In July, SecureWorks found that Coreflood, which began as a simple password-stealing Trojan, had added the ability to infect entire networks via a single administrator user account.

The Trojan poses more of a threat than more aggressive worms such as Storm, in part because its activities are practically invisible, Stewart said in the report. "Coreflood has managed to stay under the radar pretty effectively since 2004, with very few details available online about its activity in that time," he noted.

The botnet is still active, with its operators apparently having moved their base of operations from Wisconsin to Russia, Stewart said.

Of the usernames and passwords found on the server, 8,485 were for banks or credit unions, 3,233 were for credit cards and 151,000 were for email accounts. Other password types included online retailers, share-trading accounts, online payment processors, mortgage lenders and payroll processors.

Among the organisations compromised were a major US university hospital, with nearly 5,000 infected machines, a county school system, with 31,000 infections, a hotel chain, with more than 14,000 bots, and mortgage, pharmaceutical, oil and chemical companies. The Trojan also infected a US state policy agency.

Stewart emphasised the meticulousness with which the attackers compromised networks. The Trojan spreads via drive-by downloads from infected websites, rather than more obvious emails or instant messenging messages and, once a user with administrative access to a network domain was compromised, the attackers used this access to spread to an entire domain.

The attackers did not rely on zero-day attacks, Stewart said. Instead, they used older exploits and were able to invade systems that had not been kept up to date with patches.

They used the server to verify the validity of bank-account information and, in one subdirectory, SecureWorks found information on 740 stolen accounts from a single financial institution. Those that had been tested for validity held an average of US$4,553.74 in savings and US$2,096.31 in their current account, based on which all 740 accounts could have held a total of more than US$2.5m, Stewart said.