'Crime Server' Found with Thousands of Bank Customer Records

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

Dubbed a "crime server" by Finjan, the information security vendor that discovered it, this machine held more than 1.4 gigabytes of business and personal data stolen from Trojan-infected computers. The compromised data (all less than one month old), consists of 5,388 unique log files, comes from around the world and contains information from individuals and businesses alike.

The types of compromised data found on the crime server includes user names, passwords, account numbers, social security numbers and credit card numbers. Finjan's chief technical officer Yuval Ben-Itzhak estimates that more than 60 percent of the information on the server was bank customer data. Other information includes compromised patient data, business-related email communications, as well as captured Outlook accounts containing emails.

The crime server was detected using "command and control" tools to operate crimeware that was executed on the end users infected computers. The same server was used as a "drop site" for the personal information harvested from the infected computers. The stolen data was then left unprotected on the server without any access restrictions or encryption, meaning that the data was available to criminals. Ben-Itzhak notes the fact that sensitive business and personal data in more than 5,000 cases were compromised in a timeframe of less than one month indicates that "The current numbers quoted in the industry reflect only the tip of the cybercrime iceberg."

The server has been taken down, says Ben-Itzhak.

Finjan says it has since discovered two more "crime servers" holding similar information, and both have been turned over to law enforcement for investigation.

So far, the San Jose, CA-based security vendor has contacted 40 major international financial institutions located in the US, Europe and India that had customers' data compromised. Finjan would not reveal the names of any of the institutions impacted. The Federal Bureau of Investigation and other law enforcement agencies in Germany, France, India, UK, Spain, Canada, Italy, Netherlands and Turkey were notified of the information found on the server. The U.S. investigation is in the hands of the FBI. Paul Bresson, spokesperson at the FBI's national press office in Washington, DC. would not comment on the crime server or what it contained. "As a policy we don't discuss information or acknowledge that information was received when investigations are initiated or while an investigation is ongoing," Bresson says.

"The scope and ramifications of this particular incident are staggering," says Viveca Ware, director of Payments and Technology Policy at the Independent Community Bankers of America (ICBA). "It is very unusual to have such a diversity of information available on one server in one location."

"It looks like a one-stop shopping location for criminals to get information," Ware says.

Scope and Scale
Doug Johnson, Vice President and Senior Advisor, Risk Management Policy at the American Bankers Association, notes that compared to last year's arrest of criminals in South Florida caught with 250,000 credit card numbers (Six were arrested after committing $75 million in credit and debit card fraud), orders of magnitude come into play. "The bottom line is data breaches are a fact of life these days and we take every threat seriously," Johnson says.

Johnson says breaches of information such as found on this crime server are investigated appropriately by law enforcement The financial services industry has strong mechanisms to get the word out very quickly, such as the Financial Services Information Sharing and Analysis Center, and will vet this threat to determine as to the need for a wider dissemination of the information, he adds. "The process works when it comes to informing affected companies."

As a hands-on security assessor of US financial institutions, Ken Stasiak, CISSP, CISA, CISM, GSEC, and President of Secure State, an information security assessment company in Cleveland, OH., sees this crime server as something that is evolving from the attack vector used for the past four years, a "bot network" or "zombies" that are used to collect information.

Previously the "zombies" or compromised computers were used in wider denial of service attacks, Stasiak explains. But in this attack, the bots are turned to collect and upload information from different businesses and individuals from various countries into this one server. "This is something we haven't seen before. Once on that server, it allows different people (criminals) to come in a browse for different types of data for obviously criminal purposes." The other thing that Stasiak notes that is different is "it wasn't a targeted attack. It spanned many industries across different countries. It isn't necessarily targeted at financial institutions, but at the end user."

The open question: Will the individuals or businesses whose data was found on these servers be notified? Chris Soghoian, an independent information security researcher at Indiana University, says breaches are a tough thing for any business to handle. "It's very easy to under-report breaches. The way that state notification laws are written, unless a person's social security number has been breached, in some states it doesn't count as a breach for notification reasons."

One example Soghoian points to is a data breach that happened last year, when 36,000 Indiana University email addresses were stolen and then used to launch phishing attacks against students. "No one was informed of the breach because the university didn't consider email addresses were confidential, personally identifiable information, even though they were then used in very targeted and very effective phishing attacks," Soghoian notes.

Call to Arms
Ware says the ICBA has advocated to its members for a very long time that it is in their best interest to do as much as possible to ensure that customer and corporate data is secure. "Banks have very stringent regulatory and legal requirements that they have to adhere to when it involves customer data," she says. One of the benefits of having bank examiners is that they are looking at the security of banks' infrastructure.

Markus Jakobsson, Chief Research Scientist at the Palo Alto Research Center, Palo Alto, CA., says no one should be shocked by this discovery. "This kind of news is not a surprise if you think of the commercial value of the data that can be compromised like this."

If the crimeware is custom-made for this attack and tested against commonly used anti-malware services, "the attacker knows that the only thing between him and success is whether his email is believable to the recipient," Jakobsson says.

Studies on Facebook show that more than 70% of people would follow the advice in an email appearing to come from a friend, and a study on socially propagated malware described in Jakobsson's recent book "Crimeware" shows that more than 50% of people will download self-signed executables if a friend endorses them.

Top executives may not be that different he adds -- especially if the email appears to come from their administrative assistant, a business colleague or, as recent attacks support, from the Better Business Bureau. "We have entered an era when security against fraud is not only about technology (whether you use a firewall, etc), nor only about deceit (as it largely was before the conception of the Internet)," he says.

Looking ahead, Jakobsson sees a need for better integration of technology and education. "We will need new and inventive ways to automatically detect and block these socio-technical offenses," he says. "Not an easy task, given that the attack could come from anywhere on earth ... but what choice do we have?"

The research report detailing the findings is in Finjan's latest "Malicious Page of the Month" report, available at http://www.finjan.com/mpom.