RealTime IT News

Hacked Government and Corporate PCs for Sale

Golden Cash page from Finjan
Sample screen from Golden Cash
Source: Finjan
It's easier than ever to get access to an unsuspecting PC user's system -- all it takes is money.

According to a new report from security firm Finjan, that due to the rise of sophisticated trading platforms designed to facilitate the sale of access to hacked PCs for stealing user data, sending spam, and other malicious tasks.

"Criminals have built an eBay that provides everything to the hacker," Finjan CTO Yuval Ben-Itzhak told InternetNews.com. "People are not even aware their computer is controlled and is an asset that one person is buying and another is selling."

Finjan examined in detail a platform called the Golden Cash network and botnet, where criminals sell infected PCs that include government and corporate computers, not just home users' PCs, according to Ben-Itzhak.

He said that one criminal might install scareware on a PC, steal a user's credit card information, and sell the PC to someone else who would install malware that would lurk and steal e-mail accounts, or who would wait until the user logged in to their bank account and steal that, as well.

Then that criminal could sell the PC to a third person, who would use it to send spam.

As a result, users should not assume they're safe even while behind the corporate firewall.

"It's a big mistake," Ben-Itzhak said. "Earlier this year ... we reported a botnet of 2 million PCs [and] there were many government-owned PCs and many PCs of public companies on the list. The assumption that all businesses and governments are using the best antivirus technology and are therefore secure is far from the reality. They have more resources and more people but they also have many more PCs to protect."

A sophisticated market

Finjan reported that a wide variety of nasty things are for sale on the market it studied. The report said that infected PCs are bought and sold in batches of 1,000 computers. Toolkits for hacking are also for sale, as are Web sites that can be used to infect victims.

Some toolkits are used to collect FTP credentials for legitimate sites, according to the report. The report found 100,000 such compromised Web sites.

The value of a PC varied from $5 per 1,000 in the Far East (including Hong Kong, Taiwan, Japan, and China) to $100 per 1,000 PCs in Australia.

Making matters worse, the system is easy to use -- like a legitimate e-commerce marketplace, it's designed to facilitate transactions.

Whodunit?

Ben-Itzhak said that it's impossible to be certain who's behind the Golden Cash network. But he said that he believes that it's a Russian group that is either part of or is working with the notorious Russian Business Network (RBN), a group of criminals that may also have government connections and who may have participated in the Russia-Georgia cyberwar.

He said that Finjan identified one server as being used by the RBN but that it did not identify other servers.

[cob:Special_Report]Getting more information -- or stopping the threat altogether -- may be tough.

For instance, the network architecture is designed to survive takedown notices, according to Ben-Itzhak. He said that everyone logging into the network went through a proxy server. In theory, if the activity on the proxy server were found and it were taken down, the market would survive intact.

In another strategy to protect the network, Ben-Itzhak said in a blog post last week that criminals had build a list of over 1,000 IP addresses commonly used by major security companies.

"The hacker blacklisted IP addresses of research centers and crawlers used by security vendors," he wrote. "With this approach, the hacker minimizes the risk that a security researcher [located] behind these IPs will access the crimeware toolkit and research it ... This technique allows the malicious code to stay effective for a longer time and continue to infect more PCs as security products will not hold a signature for preventing it."