In this post we will show how sensitive information about more than 300,000 websites is easily accessible on the Internet. This sensitive information is related to the file system, user names and other critical information which could be used to compromise the security of websites.

What Type of Data is Leaked?
This post focuses on the immense problem of data leakage and how it affects thousands of websites on the Internet today. Data leakage from websites can be categorized in two major groups.

• User information: Data related to transactions such as credit card information, user information like site subscriber email(s), etc.
• System information: Data related to ownership of a site, system level details such as Operating System vulnerabilities, and web application vulnerabilities, all of which can help a malicious hacker break in easily.

Unfortunately, it is extremely easy to identify system information, as we show next.

How is the Data Leaked?
A popular and widely deployed FTP client, WS_FTP makes it extremely easy to transfer files using FTP. One drawback of using this popular piece of software is that it usually creates a log file. Most administrators using this software may not pay attention to this default behavior. These log files contain sensitive information such as file source and destination, file name, date and time of upload and more.

More importantly administrators do not realize that when they upload files using this software to their websites, this log file is uploaded and made publicly available. This is the starting point for a malicious hacker gain sensitive information about a website. This issue has been well-known for years now, yet it continues to be pervasive. [1] [2]

To identify websites with this type of data leak on the Internet, one only needs to use the below search term in a popular search engine.

inurl:WS_FTP.LOG

This type of data leak is even present on a very large American news network’s website.

100.02.01 15:28 B L:\content\interactive\virtual\.HSancillary --> bolivia.[scrubbed].com /www/[scrubbed]/interactive/virtual .HSancillary
100.02.01 15:28 B L:\content\interactive\virtual\360.txt --> bolivia.[scrubbed].com /www/[scrubbed]/interactive/virtual 360.txt
100.02.01 15:28 B L:\content\interactive\virtual\3d.txt --> bolivia.[scrubbed].com /www/[scrubbed]/interactive/virtual 3d.txt
100.02.01 15:28 B L:\content\interactive\virtual\champagne.buying.txt --> bolivia.[scrubbed].com /www/[scrubbed]/interactive/virtual champagne.buying.txt
100.02.01 15:28 B L:\content\interactive\virtual\champagne.txt --> bolivia.[scrubbed].com /www/[scrubbed]/interactive/virtual champagne.txt
100.02.01 15:28 B L:\content\interactive\virtual\elex.features.txt --> bolivia.[scrubbed].com /www/[scrubbed]/interactive/virtual elex.features.txt
100.02.01 15:28 B L:\content\interactive\virtual\hurricane.info.txt --> bolivia.[scrubbed].com /www/[scrubbed]/interactive/virtual hurricane.info.txt
100.02.01 15:28 B L:\content\interactive\virtual\prim.polls.txt --> bolivia.[scrubbed].com /www/[scrubbed]/interactive/virtual prim.polls.txt
100.02.01 15:28 B L:\content\interactive\virtual\prim.results.txt --> bolivia.[scrubbed].com /www/[scrubbed]/interactive/virtual prim.results.txt
100.02.01 15:28 B L:\content\interactive\virtual\town.meeting.txt --> bolivia.[scrubbed].com /www/[scrubbed]/interactive/virtual town.meeting.txt

Data Leaked from the WS_FTP Log
What can we tell from the information in the logs?

• Usernames and Logins
• Website names
• IP of the websites from the Website names
• Host name
• IP of the server from the Host name
• Directory structure on the server side
• Directory structure on the client side

How to Mitigate the WS_FTP Data Leak?
Prevent the log file from being created:

1. Click [Options]
2. Click [General]
3. Uncheck [Enable log]

Conclusion
It is clear that data leakage is a big problem on the Internet. Popular software like WS_FTP allows sensitive information to be leaked unwillingly, helping a malicious hackers to break in. More than 6,600 benign websites are compromised everyday, don’t let your website be one of them. For more information about how we can help you, please feel free to visit our services page.

In this article we show that, unlike what you might think, the credit card black-market operates very much in the open. Below we point out websites, which can be used to tap into the cyber black-market and find stolen credit card numbers and the associated credentials to purchase for any purpose they desire. We also show instant messenger handles, emails and details of what cyber criminals are selling on the Internet.

We analyzed 429 unique domains and 615 unique URLs. Each of these URLs contained information about buying stolen credit card information. Each URL lead to a web page where cyber-criminals have posted details about how to interact with them and buy stolen financial credentials. In the majority of cases, cyber criminals who are selling this information can provide one of the following types of data.

The data for this article was collected between February 27th and March 2nd, 2010.

Basic Credit Card Information Offers:

Usually consists of credit card number, type, expiration date and CVV.

USA & CANADA CCV2

VISA/Mastercard ~ 2USD/each
AmEX/Discover   ~ 4 USD/each

UK & WU CVV2

VISA/Mastercard ~ 3USD/each
AmEx/Discover   ~ 5USD/each

Premium Credit Card Information Offers:

Usually consists of credit card number, type, expiration date, CVV, SSN, Home Address, Full Name, Date of Birth and much more.

USA & CANADA CCV2

VISA/Mastercard ~ $35/each

UK & EU

VISA/Mastercard ~ $40/each

ACCOUNT INFORMATION:
First Name: xxxxx
Last Name: xxxxx
Address: xxxxx xxxxx xxxxx xxxxx
Apt:
City: Homestaed
State: FL
Zip: xxxxx
Home Phone: (xxxxx)xxxxx-xxxxx
Work Phone: (xxxxx)xxxxx-xxxxx
Email: xxxxx@yahoo.com
SSN: xxxxx-xxxxx-xxxxx
License Number: xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
License State: FL
DOB: 09/xxxxx/xxxxx

PAYMENT INFORMATION:
Credit Card Type: VISA
Number: xxxxxxxxxxxxxxx
CCV: 889
Expiration Date: 11/2008
Name: xxxxx xxxxx
Card Name First: xxxxx
Card Name Last: xxxxx

PayPal Information Offers:

Verified account                 ~ 20USD/each
Verified account with email pin  ~ 25USD/each
Verified acccount with full info ~ 35USD/each
unverified account               ~ 10USD/each

Some domains host multiple instances of stolen Credit Card Ads, (CC-Ads). We present the frequency distribution of CC-Ads on each unique domain below.

Frequency of CC-Ads on each unique domain.

Interesting Highlights:

• None of the websites advertising stolen credit card data were blacklisted by Google’s Safe Browsing List. This could potentially indicate that cyber criminals are conscientious of not discouraging visitors to these sites.
• Cyber criminals prefer to get paid via Liberty Reserve and Western Union money transfer services.
• Some cyber criminals have used images to provide quotations [img].
• Yahoo.com seems to be the email and instant messaging service preferred by cyber criminals.
• Nearly 75% of sites with CC-Ads are located in the US (see graph below).

IP Geo-location for websites with CC-Ads.

Conclusion:

It is clear from the current state of the credit card black-market that cyber criminals can operate much too easily on the Internet. They are not afraid to put out their email addresses, in some cases phone numbers and other credentials in their advertisements. It seems that the black market for cyber criminals is not underground at all. In fact, it’s very “in your face.” Clearly a more concerted effort is required to clamp down on this problem. Simply tying up loose ends on the enterprise side is not enough to combat this problem when there is virtually nothing to stop criminals from touting their stolen wares freely in the Internet.

Editor’s Note: We are providing a limited list of sites as an example of the brash lawbreaking behavior of these cyber criminals. We believe it is important for the purpose of this article that the reader be able to verify our statements. Additionally, we believe that consumer awareness of the problem can only serve to reduce the ease with which these criminals operate.

Forums used to buy and sell stolen credit card information:

*hxxp://ghostmarket.net
*hxxp://gayatheists.2.forumer.com
*hxxp://www.pakbugs.com/sell
*hxxp://forums.lava-carding.com
*hxxp://www.offcarding.forums-free.com
*hxxp://hack0rz.forums-free.com
*hxxps://security-shell.ws
*hxxp://silverspam.net
*hxxp://sellcvv2.forums-actifs.com

Various instant messenger credentials [1] [2] [3] used by cyber criminals:

People who interacted with “ubuntu_kana” (Yahoo messenger):

• ahmadshrief11@yahoo.com, davidlindon1@gmail.com, frankykkk@yahoo.com, suzannasuro@gmail.com, alexgenieve@hotmail.com, dave3331@gmail.com, ccvhack21@yahoo.com, trungtuyen68@yahoo.com, XUAN_CCS@YAHOO.COM, niklasjulius@rocketmail.com, boy_magnanimous@yahoo.com, FRESH_HACK2002@YAHOO.COM, vic.sell@yahoo.com

People who interacted with “peeseller” (Yahoo messenger):

• aloopapa@yahoo.com, dumpsfresh@yahoo.com, ug.tsunami@yahoo.com, sellrep@yahoo.com,

People who interacted with “bagiabancc” (Yahoo messenger):

• WorkusaJob@yahoo.com, david_cuong_85@yahoo.com, salulynho@yahoo.com, vang_kiban@yahoo.com, pro.cv2er@gmail.com, pro.cv2er@hotmail.com