[nsp-sec] Crimeware as a Service (CAAS) - FTP credential swiping
Lawrence Baldwin
baldwinl at mynetwatchman.com
Fri Feb 29 09:09:41 EST 2008
Has anyone seen this?
http://www.theregister.co.uk/2008/02/27/crimeware_as_a_service/
"The service is able to seamlessly infect the websites because it has a
database containing file transfer protocol usernames, passwords and server
addresses that are typically used by legitimate webmasters to add, change or
delete pages. The credentials were most likely stolen by infecting the PCs
of administrators with keyloggers, Ben-Itzhak said."
I believe I had found a command and control server about a week ago that was
using some kind of technique to acquire FTP credentials. I think they might
be doing some kind of iframe injection to scrape FTP credentials from
end-user browsers that accessed the sites. This may be bigger than I
originally thought given the breadth of high-profile site's Finjin claims
are owned.
If anyone has insights into this please contact me off list.
Regards,
Lawrence.
More information about the nsp-security
mailing list