'Crime Server' Found with Thousands of Bank Customer Records

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

More than 5,000 customer records from 40 international financial institutions were discovered last month on a computer server in Malaysia.

Dubbed a "crime server" by Finjan, the information security vendor that discovered it, this machine held more than 1.4 gigabytes of business and personal data stolen from Trojan-infected computers. The compromised data (all less than one month old), consists of 5,388 unique log files, comes from around the world and contains information from individuals and businesses alike.

The types of compromised data found on the crime server includes user names, passwords, account numbers, social security numbers and credit card numbers. Finjan's chief technical officer Yuval Ben-Itzhak estimates that more than 60 percent of the information on the server was bank customer data. Other information includes compromised patient data, business-related email communications, as well as captured Outlook accounts containing emails.

The crime server was detected using "command and control" tools to operate crimeware that was executed on the end users infected computers. The same server was used as a "drop site" for the personal information harvested from the infected computers. The stolen data was then left unprotected on the server without any access restrictions or encryption, meaning that the data was available to criminals. Ben-Itzhak notes the fact that sensitive business and personal data in more than 5,000 cases were compromised in a timeframe of less than one month indicates that "The current numbers quoted in the industry reflect only the tip of the cybercrime iceberg."

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

The server has been taken down, says Ben-Itzhak.

Finjan says it has since discovered two more "crime servers" holding similar information, and both have been turned over to law enforcement for investigation.

So far, the San Jose, CA-based security vendor has contacted 40 major international financial institutions located in the US, Europe and India that had customers' data compromised. Finjan would not reveal the names of any of the institutions impacted. The Federal Bureau of Investigation and other law enforcement agencies in Germany, France, India, UK, Spain, Canada, Italy, Netherlands and Turkey were notified of the information found on the server. The U.S. investigation is in the hands of the FBI. Paul Bresson, spokesperson at the FBI's national press office in Washington, DC. would not comment on the crime server or what it contained. "As a policy we don't discuss information or acknowledge that information was received when investigations are initiated or while an investigation is ongoing," Bresson says.

"The scope and ramifications of this particular incident are staggering," says Viveca Ware, director of Payments and Technology Policy at the Independent Community Bankers of America (ICBA). "It is very unusual to have such a diversity of information available on one server in one location."

"It looks like a one-stop shopping location for criminals to get information," Ware says.

Scope and Scale
Doug Johnson, Vice President and Senior Advisor, Risk Management Policy at the American Bankers Association, notes that compared to last year's arrest of criminals in South Florida caught with 250,000 credit card numbers (Six were arrested after committing $75 million in credit and debit card fraud), orders of magnitude come into play. "The bottom line is data breaches are a fact of life these days and we take every threat seriously," Johnson says.

Johnson says breaches of information such as found on this crime server are investigated appropriately by law enforcement The financial services industry has strong mechanisms to get the word out very quickly, such as the Financial Services Information Sharing and Analysis Center, and will vet this threat to determine as to the need for a wider dissemination of the information, he adds. "The process works when it comes to informing affected companies."

As a hands-on security assessor of US financial institutions, Ken Stasiak, CISSP, CISA, CISM, GSEC, and President of Secure State, an information security assessment company in Cleveland, OH., sees this crime server as something that is evolving from the attack vector used for the past four years, a "bot network" or "zombies" that are used to collect information.