Researchers at security vendor Finjan uncovered a server containing the sensitive email and Web-based data of thousands of people, including healthcare information, credit card numbers and business personnel documents and other sensitive data.
The server contained over 1.4GB of both email and web-based data. In all, the data consisted of more than 5,388 unique log files traced back to 5,878 distinct IP addresses.
Finjan said the server was a drop site for the AdPack exploit toolkit. The hacker controlling the server did not encrypt the data and failed to protect the server from being accessed.
"It shows that you don't have to be highly knowledgeable to use these toolkits," said Yuval Ben-Itzhak, Finjan's chief technology officer. "The whole idea for selling these toolkits is to provide to people who are not security experts and do not have a computer science background."
Like other crimeware toolkits such as NeoSploit or MPack, the AdPack toolkit has a very intuitive interface, Ben-Itzhak said. The management features enable the criminal to address specific groups of users by allowing them to target a country or IP, or even by log types, he said.
Cybercriminals found it easy to access whole Outlook accounts including mail and personal folders, calendar, public folders and contacts, Ben-Itzhak said. The crimeware used by the hacker was able to capture screenshots of the victim's desktop and upload them to the server.
Ben-Itzhak said since the initial discovery, three other servers have been discovered with unprotected sensitive data.
"This indicates that the person running it is interested in the data and the money, but probably has no clue about how to secure the server and how to protect the data from others to access it," he said.
Finjan notified more than 40 major international financial institutions located in the United States, Europe and India whose customers were compromised as well as various law enforcements around the world.
Ben-Itzhak said the server logs contained a mountain of healthcare information, including personal data, health data, treatment, medications, insurance details, Social Security Numbers, and healthcare providers' data, including physician's name. Due to the fact that the data was HIPAA related, Finjan informed the FBI of the discovery."I think that the fact that medical data was stolen from doctors' PCs using Trojans, means there's still work to do," Ben-Itzhak said. "There are still security measures that need to be implemented."
Other data contained personnel files and business files marked confidential. One message revealed details about an upcoming court case, while a few others contained business financial data such as invoice information. Banking data, including credit card numbers and account login numbers were also discovered on the server, Ben-Itzhak said.
In one example, the cybercriminals gained access to a large chunk of business data, including network folders and business contacts. They also had access to the company's shipment information, retirement plans and invoices, Ben-Itzhak said.
"These criminals are not just targeting credit cards and the individual's identity, they're targeting real business data," Ben-Itzhak said. "It's not just a technical problem anymore of a broken application that the IT department has to fix, it's a real business issue here that someone is monitoring your activity."