Cyber criminals hiding sensitive data under owners' noses

Research uncovers 'drop-zones' that crooks use before they export data beyond the firewall

Cyber thieves are secreting huge troves of sensitive corporate data on the owners' networks without them realising, researchers from security firm Kaspersky Labs have warned.

Those illicit files can sit there unnoticed until it's too late, and the thieves export it en masse beyond the firewall.

In 2010, Kaspersky researchers analysed the data being harvested by machines infected with variants of the Zeus Trojan. The results highlight the severity of the threat facing IT chiefs.

So-called drop zones - the storage space cyber crooks use to house stolen data before selling it - typically hold 14GB of data.

"They're the cyber thief equivalent of the lock-up garage," said David Emm, of Kaspersky's global research team.

Typically, when an organisation has been compromised, the cyber thieves will use their ability to access the network to create a drop zone within the firewall, said Emm.

Because firewalls are designed to combat external threats, IT chiefs may not detect that one of their internal servers is being used to store purloined data.

This provides the criminal gangs with an opportunity to sort through the mountains of data they collect and establish which parts may have a resale value, such as those containing bank login details, said Emm.

"Once the crooks are ready, and their loot bag is full, they can transfer the data before anyone watching the firewall can stop them," he said.

Emm's team also tracked the sale of stolen data. Over the period of nine months, one botnet generated "sales" worth $1.7m.

"They have the rate of profitability that could make legitimate businesses envious," said Emm.

Kaspersky's analysis showed that the number of files in these drop zones was split nearly 50:50 between data files and images.

"The Trojans will just keep capturing screenshots at regular intervals in the expectation that they'll land something valuable," said Emm.

But in so doing, it shows that the criminal gangs responsible have the ability to sift through huge numbers of image files to hunt out what's valuable.

What's more, the tools needed to create a botnet capable of infecting thousands of machines are now being sold like package software, said Emm.

Malware tools such as the Eleonore exploit kit provide everything a would-be cyber crook needs to establish a botnet, added Emm.