Trojan Stealing Amazon, Symantec FTP Info
Source: Tom's Guide US | Keywords: Trojan, FTP, Amazon, Symantec | Themes: The Internet
A trojan is collecting FTP information from popular websites such as Amazon, the BBC, Symantec, and more.
According to Jacques Erasmus, the CTO of security tools firm Prevx, he recently came across the "biggest compromise of its type," referring to a "cybercrime" server where a trojan is uploading FTP login information captured from infected machines. What makes this particular trojan so spectacular is the source credentials it is stealing: Amazon, Monster, McAfee, Symantec, and thousands more high profile sites, comprising a list of more than 68,000.
Earlier today, Erasmus told The Register that this type of breach would be bad news for the compromised sites, as hackers could upload drive-by download scripts and other harmful applications. The company's initial investigation showed that the FTP information was collected over the past few weeks, and that some of the information remains valid. Previx has contacted many organizations already including Bank of America and more.
Erasmus explained that a variant of the zbot trojan is swiping and uploading the FTP login data to a server hosted in China. The information is stored in plain text and left open for anyone to acquire and use. Although Prevx has filed an abuse complaint against the service hosting the illicit server, Erasmus did not say whether the company has investigated the parties responsible for the theft. He also said that Prevx is currently scanning potentially vulnerable websites for any signs of abnormal activity, but has not found anything dangerous as of this writing.
So where is the trojan getting its source FTP information? "The data is harvested from users' machines, when they get infected," Erasmus told The Register. "A typical scenario might be that a web designer for one of the organizations gets infected, his stored ftp login details get compromised, and so the attacker in this case is able to log in to the ftp site and compromise the website pages."
For now, this is the only information Erasmus and Prevx was willing to offer. Hopefully the company will get things under control before hackers begin to infiltrate major websites. While many organizations have already changed FTP login information, the fact that some information "remains valid"--without offering exactly what websites remain vulnerable--is enough to make any Web surfer feel somewhat paranoid.
-
Previous News Article
Analysts Say Freefall in PC... -
Next News Article
Official Star Wars Lightsaber,...
13 photos
security by obscurity only protects the company's interest... not the consumers they deal with. these companies should be outed so that, at least the some what intelligent, consumers can decide if they want to continue dealing with the company or not.
An antimalware company gets its FTP info stolen by a malware. Oh, the irony.
An antimalware company gets its FTP info stolen by a malware. Oh, the irony.
They didn't "steal" the info. They just made up their own license to "use" the info.
We've also seen numerous cases of PCs infected with a virus that sniffs the outbout FTP traffic. Since FTP transfers all data, including usernames and passwords in plain text, this virus captures that data along with the IP address, sends it to a server in the UK and then carries out it's website infection injection attack.
We've been recommending that people use either SFTP or FTPS since these 2 protocols encrypt all their data making sniffing much more difficult (some say impossible). If your website is on a *nix box, SFTP is easy as you can use WinSCP and do FTP over SSH. If you're on a Windows box, you'll have to ask your hosting provider about FTPS.