Researchers at security vendor Finjan, who recently uncovered several unprotected hacker servers containing the sensitive email and Web-based data of thousands of people, demonstrated how easy it is to find the data using Google.
By using a simple string of search terms the researchers were able to find stolen passwords and usernames, Social Security numbers, and even the usernames and passwords of internal databases of companies all stored in Google's public caching server.
Google returns the results based on log files available on the unprotected servers. The servers stored stolen data collected by Trojan horses running on infected end-user PCs, Ayelet Heyman, a researcher at Finjan's Malicious Code Research Center, said in Finjan's Malicious Code Research Center blog.
"Google just indexed these log files as they do with any other public file on the Web," Heyman said. "It's not a hoax as some people wrote; it's 100% harsh reality."
It's not the first time the search engine giant was used to uncover sensitive data or common security flaws in websites. Penetration tester Johnny Long was the first to make headlines explaining ways to turn Google into a malicious tool. Long's website has a Google hacking database. Tom Bowers, managing director of Allentown, Pa.-based Security Constructs LLC has also warned that IT professionals must learn how hackers use search engine queries to ensure sensitive data doesn't end up on the public caching servers.
Heyman urged people not to blame Google for caching the stolen information. Google indexed the log files on the server as they do with any other public file their crawlers find on the Web, Heyman said.
In April, Finjan announced that it had discovered an unprotected server and others used as a drop site for the AdPack exploit toolkit. The server wasn't encrypted and no authentication was used to access it.
Yuval Ben-Itzhak, Finjan's chief technology officer, said more and more stolen data is turning up on popular search engine caching servers. The increase in sensitive data on search engine servers is likely due to the easy availability of crimeware toolkits such as NeoSploit, MPack, and AdPack. The toolkits make it easy for a novice to quickly find an unused server and begin stealing data.
"The whole idea for selling these toolkits is to provide to people who are not security experts and do not have a computer science background," Ben-Itzhak said. The management features enable the criminal to use social engineering tactics and target a country or IP, or even by log types, he said.
The researchers discovered sensitive information from Microsoft Outlook accounts including mail and personal folders, calendar, public folders and contacts. A mountain of healthcare information was also discovered, including personal data, health data, treatment, medications, insurance details, Social Security Numbers, and healthcare providers' data, including the physician's name. Banking data, including credit card numbers and account login numbers were also discovered on the server.
Businesses are also not immune. A large chunk of business data was discovered, including network folders and business contacts. Personnel files and business files marked confidential were also stolen using a Trojan. One message revealed details about an upcoming court case, while a few others contained business financial data such as invoice information.
The Finjan researchers said they notified more than 40 major international financial institutions located in the United States, Europe and India whose customers were compromised as well as various law enforcement agencies.