[nsp-sec] Crimeware as a Service (CAAS) - FTP credential swiping
Stephen Gill
gillsr at cymru.com
Fri Feb 29 12:10:37 EST 2008
Storm has been stealing FTP credentials this way for many months now.
As far as iframe goes, there are also toolkits to do this mass injection.
-- steve
On 2/29/08 7:09 AM, "Lawrence Baldwin" <baldwinl at mynetwatchman.com> wrote:
> ----------- nsp-security Confidential --------
>
>
>
> Has anyone seen this?
> http://www.theregister.co.uk/2008/02/27/crimeware_as_a_service/
>
>
> "The service is able to seamlessly infect the websites because it has a
> database containing file transfer protocol usernames, passwords and server
> addresses that are typically used by legitimate webmasters to add, change or
> delete pages. The credentials were most likely stolen by infecting the PCs
> of administrators with keyloggers, Ben-Itzhak said."
>
>
> I believe I had found a command and control server about a week ago that was
> using some kind of technique to acquire FTP credentials. I think they might
> be doing some kind of iframe injection to scrape FTP credentials from
> end-user browsers that accessed the sites. This may be bigger than I
> originally thought given the breadth of high-profile site's Finjin claims
> are owned.
>
> If anyone has insights into this please contact me off list.
>
> Regards,
>
> Lawrence.
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
--
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com
More information about the nsp-security
mailing list