Finjan uncovered an operation that is using specialized tools to steal and market FTP logon credentials. Some of those credentials belong to servers operated by prominent companies whose sites are among the top 100 to top 500 sites in terms of traffic.
According to the company's Malicious Page of the Month report (MPOM), the company examined a server that was running NeoSploit 2, a Web-based exploit distribution platform. During the investigation, the company discovered a specialized backend application that is being used to market stolen FTP credentials.
Finjan said the application can gauge the prominence of the FTP site by using search engine queries to determine page rankings. The more prominent the site, the higher the price charged when selling the credentials.
The company said that while there was no evidence that the credentials were actually used by the people behind the operation, many mainstream sites have been used to launch attacks upon Web users, and the two issues could be directly related.
In its MPOM report the company wrote, "Among the stolen accounts are highly respected organizations, such as government, financial services, leading suppliers in the technology industry and even prominent security vendors." The vast majority of the stolen accounts belong to entities in the United States. A large number of accounts also belong to Russian entities, and entities in at least a dozen other countries were also affected.
The MPOM report goes on to detail the inner workings of NeoSploit 2, which is believed to be widely used and is marketed as "software as a service."
"Software-as-a-Service has been evolving for sometime, but until now, it has been applied only to legitimate applications. With this new trading application, cybercriminals have an instant 'solution' to their 'problem' of gaining access to FTP credentials and thus infecting both the legitimate websites and its unsuspecting visitors. All of this can be easily achieved with just one push of a button," said Yuval Ben-Itzhak, CTO of Finjan.