Study Finds Hundreds of Stolen Data Dumps 58
Steve writes "SecurityFix reports that a group of researchers from Germany published a study in which they analyzed several hundred so-called 'drop zones,' i.e. anonymous collection points of illicitly collected data stolen with the help of keyloggers. 'Their findings, which drew from stolen data harvested from these drop zones between April and October 2008, were staggering: 33 gigabytes worth of purloined data from more than 170,000 victims. Included in those troves were more than 10,700 online bank account credentials, 149,000 stolen e-mail credentials, 5,682 credit card numbers, and 5,712 sets of eBay credentials. [...] Using figures from Symantec's 2007 study on the prices that these credentials can fetch at e-crime bazaars, the researchers estimate that a single cyber crook using one of these kits could make a tidy daily income. The full report [PDF] contains some more interesting details.'"
Yep. We're vulnerable. (Score:5, Insightful)
I've often thought that, over the ~15 year span that I've been surfing the web, I opened-up way too many accounts. I've forgotten most of them, and yet my name and address still sits there in the databases just waiting to be hacked (or sold).
Re: (Score:3, Funny)
Indeed.
However I don't really mind that they sell all info regarding Mr. X Smith, who currently lives in n123 Candy st. / Magicland.
Re:Yep. We're vulnerable. (Score:5, Funny)
I feel sorry for bob@aol.com, the real resident of 123 Fake street, and the unlucky person who got the telephone number 01234567890
Re:Yep. We're vulnerable. (Score:5, Funny)
Hey! Those are BOTH ME, you insensitive clod!
-- Bob <bob@aol.com>
(012) 345-6789
Re: (Score:2)
Dave Null,
127, Loopback Lane
Alaska
Re: (Score:3, Funny)
Personally, I quite like the irony of the Winsock Error one.
Re: (Score:2)
Michael T. Maus
1675 N Buena Vista Dr. [google.com]
Lake Buena Vista, FL 32830
Re:Yep. We're vulnerable. (Score:4, Informative)
the unlucky person who got the telephone number 01234567890
That's a real telephone number in the UK. It would be allocated to someone in/near Bedford (01234). Possibly this private hospital [ramsayhealth.co.uk] (which is in Essex, but the company office given at the bottom of the screen is in Bedford).
Re: (Score:1)
In case you don't the significance of that number: http://en.wikipedia.org/wiki/867-5309/Jenny [wikipedia.org]
Re: (Score:2)
"Damn you Tommy Tutone!"
Re: (Score:1)
Re: (Score:1, Funny)
thats why all of my passwords are "wasd123"
Not your slashdot password...
Re: (Score:2)
Re: (Score:2)
Holy shit! We're in trouble! It's probably in the phone book and all manner of public records too!
Re: (Score:2)
Yeah but phone books don't include my credit card numbers as some of the Web accounts do.
Re: (Score:2)
If these are old, the numbers won't be valid any more...
At least with a UK card number, every issue of the card ends in a different set of digits (last 6?)
Re:Yep. We're vulnerable. (Score:4, Informative)
It's been my experience that in the US, the number will stay the same, but the 3 digit validation number will change, as will the expiration date - both of which are needed for doing online transactions.
Re: (Score:2)
While you're right, that's not the point here. This is about you logging into your email, ebay, online banking etc while a trojan is logging your keystrokes.
And it's not even like this could not be cured. There are ways to prove that you're the rightful owner of the account without transmitting credentials in a way that someone intercepting them can fake being you. The simplest to implement would be giving the user a huge list of credentials and asking him only for parts of it, randomly. There are more eleg
And a.... (Score:2, Funny)
"10,700 online bank account credentials, 149,000 stolen e-mail credentials, 5,682 credit card numbers, and 5,712 sets of eBay credentials."
*sings* And a partridge in a pear tree...
And the rest of us pay (Score:1)
Ofcourse anyone might become a victim of these types of things, but the probability of someone becoming a target is greatly influenced by the really basic security things to do.
In many other types of things it is the stupid(ie. one not taking care of own part) that pays, but unfortunately in most of these types of things, it is the bank or other institution that had to stay for the costs, leading them to be part of the costs spread out on everyone.
Thus there really should be some sort of competence required
New consumer kits out soon! (Score:1)
Re: (Score:3, Informative)
Profile pages could have just been saved wholesale rather than text files?
Or perhaps it's all in a huge database with a searchable index.
what would that matter? Eats up space ... (Score:2)
It wouldn't matter to these people because:
They are working as optimized as any respectable server administrator or programmer would think like; maximize the required information
Re: (Score:1)
Re:How are they storing this data? (Score:5, Funny)
Raw data from keyloggers? :)
I think gamers can quickly fill up 138kB with lots of w,s,a and d keypresses
Re:How are they storing this data? (Score:4, Funny)
Hahaa! That's why I use asdfasfd as my online banking password.
New Passwords (Score:3, Funny)
>Modern keyloggers use algorithms and/or regex to find certain data like credit card numbers or email addresses and some even specifically filter out "wasd" patterns.
Then make all your passwords "wasd" derivatives!
Re: (Score:2)
Well at least they'd compress really effectively...
victims of stupidity (Score:1)
many of the victims of these sorts of things are victims of their own stupidity or greed.
if a normal person gets an email letting them know they have a problem with their bank account, with a bank they dont bank with, in a country they dont live in, where the bank is asking for their card details to make sure they are fine... said person would delete the email and do nothing more about it. people who get scammed will send off their card details thinking "ohh, the bank of america opened an account for me" or
Re: (Score:2)
Well, personally I've found out about actual bank accounts I didn't know about. However that's always by mail(snail) and they never ask for any details.
They usually go either like "You havn't touched this account in our bank for years, we'd recommend you going past our local bank office and going through it".
or "We've closed this empty inactive account, thank you for your time"
I think I played this on the C64 (Score:2)
left behind (Score:1)
They took a lot of dumps! (Score:2)
Don't take one of mine!
Interesting... (Score:2)
Assuming that each record is unique, a potential total of 171,094 records, and about 192.876KB per record.
That's a lot of data for each record... And if these are just credentials, such as account numbers, user IDs, passwords, security questions, this is a passably HUGE amount of data being claimed.
I suspect there is a lot of duplication out there. We know of 33GB, but how much is the same lame accounts re-listed and re-sold over and over?
While 171k+ of accounts isn't nothing, I'm disappointed they didn't
Sorry to say.. (Score:2, Insightful)
Is it just me, or does this seem pretty sad, that so many of today's so called security companies, don't bother to contact the victims of this to at least tell them "Hey you might want to change your password to your online banking, someone stole it, or etc..."
I am dissapointed by our leading security community, for leaving these "dumps" in the open to review them, yes after a few days or weeks of activity, ...ok, but then afterwards, contact the victims and let them know they have been compromised.
When do
A fine evaluation by the researchers (Score:2, Insightful)
Honest Question (Score:2)
How many of us have been at least intrigued by the idea of working on something like this? Granted, yes, it is illegal and immoral, but I'm sure it is a really interesting challenge.
Spit out keyloggers at a few hundred thousand/million computers (which sounds like a fun task to begin with), then set up a dump where all the logged keys go. Write some perl to look through the dumps searching for CC#s, SSNs, bank account numbers, passwords, etc. etc. and sort them accordingly. Then dump all of this into a se
How can this data be so large??? (Score:1)
Numbers not surprising. (Score:2)
If you think about it, the numbers are not that surprising.
Just think of how many people have had World of Warcraft accounts jacked with keyloggers. This could simply be a repository for jacked WoW passwords for use by some gold resellers, who also managed to capture all the other data. The email captures are of particular interest as this could be used to keep up to date on password changes made by the OWNER of the accounts even if the keylogger is lost.
When you compare the numbers in TFA to the accountbas