Unlike other reports that focus on manually analysing the underground sites where stolen credentials are illegally traded, the researchers used automated data gathering techniques to analyse 'drop zones' - Internet shares where malware uploads stolen data for attackers to retrieve. The report analysed data collected via two pieces of data harvesting malware, Limbo and Zeus, over a seven-month period between April and October this year.
The research team found the drop zones by using a honeypot technique to voluntarily infect their machines. A custom-built tool called SimUser then simulated 17 specific user behaviours designed to trigger a keylogger to 'phone home' to the drop zone. The drop zones are often controlled by the attackers using web applications that are insecurely written, enabling the researchers to hack the server and trawl through the data that had been collected by the attackers.
The team gained full access to 33 Gb of log files on 73 drop zones during the study period, and detected data on about 173,500 infected machines. However, the drop zones they they were able to analyse by gaining full access to represent just over a fifth of the 345 drop zones which the researchers detected.
"Note that an infected machine can potentially be used by many users, compromising the credentials of many victims," the researchers said in their report. "Furthermore, the effective number of infected machines might be higher since we might not observe all infected machines during the measurement period."
Four of the drop zones analysed were used by the Zeus malware, which focuses on collecting banking details. These servers contained 10,700 bank account credentials. Paypal was the most prevalent, representing 2,600 accounts, followed by the Commonwealth Bank, HSBC Holding, the Bank of America and 447 accounts from Lloyds. "The distribution has a long tail: for the majority of banking websites, we found less than 30 credentials," said the report.
When it came to credit card credentials, Visa was the most stolen, with 3,700 accounts found in the drop zones. Mastercard came in second with 1,400, and American Express and Diners Club trailed far behind in third and fourth place. 5,800 credit card numbers were found overall. "If we assume that all credit cards we detected are abused by the attacker, we obtain an estimated loss of funds of almost $1,700,000," said the report.