"German researchers have discovered more than 300 cybercrime servers full of stolen credentials on more than 170,000 people -- and it is only the tip of the iceberg, they say.

Researchers at the University of Mannheim's Laboratory for Dependable Distributed Systems were able to access nearly 100 so-called "dropzone" machines, and say the actual number of these servers is much more.

"With our limited amount of machines, we found more than 300 dropzones, and we covered only two families of banking Trojans. In total, there are presumably many more," says Thorsten Holz, one of the researchers and a founder of the German Honeypot Project. The researchers were studying what they call "impersonation attacks," where victims' credentials are stolen so that the attacker can impersonate them.

The researchers basically traced the steps of specific keyloggers and banking Trojans between April and October 2008. One-third of the machines infected by this data-stealing malware are in Russia or the U.S., according to the researchers. Overall, the 170,000 victims whose data they discovered in the dropzones were from 175 different countries.

They discovered a total of 10,775 bank account credentials, including passwords and bank account details that the victims would enter during a regular transaction. They also found more than 5,600 credit card accounts and tens of thousands of passwords for various sites." - Darkreading

From the paper

"We study an active underground economy that trades stolen digital credentials.We present a method
with which it is possible to directly analyze the amount of data harvested through these types of attacks
in a highly automated fashion. We exemplify this method by applying it to keylogger-based stealing
of credentials via dropzones, anonymous collection points of illicitly collected data. Based on the collected data from more than 70 dropzones, we present the first empirical study of this phenomenon,
giving many first-hand details about the attacks that were observed during a seven-month period between
April and October 2008. This helps us better understand the nature and size of these quickly
emerging underground marketplaces."

Paper Link: http://honeyblog.org/junkyard/reports/impersonation-attacks-TR.pdf
http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=212501236