Donate for the Cryptome archive of 65.000 files from June 1996 to the present

1 December 2011

RSA Anti-Trojan Service Reselling Data Stolen Twice

A sends:

Some time back I was approached by an RSA representative regarding their Israel based RSA Anti-Fraud Command Center and their Anti-Trojan Service, a service targeting but obviously not limited to clients like major banks and credit card companies.

Upon our inquiry to what the value of this service was they were more than happy to oblige with a small sample of what information the service would provide us; a one MB+ text file with stolen accounts and creditcard data:

============================================================================

Trojan Family: Zeus (version 2)
MD5: 9b72fc6bd0209be28263a3c360fc21a9
bot_id: XXXXX_XXXXXXX
path_source: http://www.corporateweb.com/backend/login.asp
Timestamp: 4/XX/2011 3:36 PM
IP: XX.XXX.XX.84
country: US
rtime: 4/XX/2011 11:45 PM
context: http://www.corporateweb.com/backend/
Referer: http://www.corporateweb.com/backend/start.asp
Data:

authToken=245784owmbCeoU80752c52bO7d
storeId=12
langId=-1
URL=
orderId=XXXXX
business=0
userProfileField1=
cvxCheck=
expDateCheck=
method=DISCOVER
ccNumber=6011XXXXXXXXXXXX
ccCvx2Code=XXX
ccExpiryDate=
cardExpiryMonth=01
cardExpiryYear=2012
giftCard1=
giftCard2=
giftCard3=
coupon1=
realTermsAndConditions=on

- Or -

Data:

aToken=s2521ucQb1asUefqwfasUefqwfdfQWERedf3kH3d
aType=add
formName=private
layout=uCreate
URL=Signup
returnURL=
bMonth=7
bDay=22
bYear=1967
lName=Sxxxxxxxx
fName=Xxxxx
address1=233XX XXXXXXXX
city=BOCA RATON
state=FL
zipCode=33XXX
phone1= XXXXXXXXXXX
fax1=
phone2= XXXXXXXXXXX
email=XXXXXXXXX@HOTMAIL.COM
vEmail=XXXXXXXXX@HOTMAIL.COM
Password=XXXXXXXXX
PasswordVerify=XXXXXXXXX
captchaId=22829679
captcha=XXXXXXXXX
acceptCond=true
submit=Continue

...with all information available in clear text, passwords, Credit Card numbers with full details.

It seems quite obvious that the source is from trojan "Command and Control" that have collected the data from infected computers around the net, in this case Zeuz Bot.

In this day and age is it good business practice to sell private and confidential information that has been stolen and then stolen again?

Besides the fact that its hardly "Anti-Trojan", the moral implications of this kind of business are many and on many levels, but it is nothing RSA and its "Anti-Fraud Command Center" are shy to advertise as a "consumer" product:

http://www.rsa.com/products/consumer/sb/10580_AFCC_SB_1109.pdf
http://www.rsa.com/products/consumer/datasheets/7969_ATS_DS_0409.pdf

Makes me wonder what's next? an RSA Trojan that infects and collects the information for the service? Or perhaps thats already the case...