Citrix logins found on crimeware servers
A crimeware server located in Argentina has been found, containing stolen data including Citrix login credentials for a major US airline. Security systems vendor Finjan, who discovered the server, believe that the credentials would allow full access to the airline's systems, including "passenger and cargo lists, flight schedules, time tables, security measures, as well as its financial data." The 500MB of encrypted files also contained healthcare and business data including citrix credentials for a US public healthcare organisation, Outlook login credentials and social security numbers.
Describing the find in its Malicious Page of the Month report, Finjan suggests that the credit card fraud market is getting saturated, reducing the value of phished account credentials. Therefore phishers are seeking new product ranges. Clearly, direct access to corporate systems could prove much more valuable than credit cards to criminals – or even terrorists.
Analysis of the Argentinean crimeware server showed that it started to attract traffic in February 2008, and hits have escalated throughout April. Finjan proposes a connection with the spread of the ZeuS trojan, aka TR/Spy.Agent.42496 or wsnpoem . The report notes that the data were encrypted – which has not been the case in the past – although the decryption tools were found on the same server.