The scandal surrounding the leak of a database belonging to Valuehost – a hosting provider – continues apace. To recap: The incident began with information concerning the theft of Valuehost’s database containing passwords and logins to its sites. Then, when angered customers began leaving the company in favor of its competitors, Valuehost demanded the payment of a breach-of-contract fee. And now Kaspersky Labs has established the wholesale infection of Valuehost sites with the Psyme Trojan. As a result, not only are the hosting clients suffering, but also their clients – those who visit their Web resources. As InfoWatch experts indicate, the mass infection of sites was effected only through the existence of the stolen database, allowing the criminals to go through the sites and insert the Trojans. Now, the whole future of Valuehost as a viable business is in question.
At the end of September, a database containing the password and login information of 101,000 sites hosted by the Petersburg provider Valuehost appeared for sale on the Internet. The company initiated an internal investigation. Meanwhile, its competitors began to spread the notion that a confirmed leak would constitute a real threat for the company’s clients.
The “item” was put up for sale in a range of online shops (www.plati.ru, www.zaplati.net and www.privet.in) – under the plain yet enviable appellation: “The Valuehost.ru Complete Login and Password Database”. According to the seller – who goes under the name Money-monster – for a mere 8,886 rubles (340 USD / 254 Euro) anyone so inclined could obtain access to the passwords and logins of 70,000 sites. This, in the hands of one so inclined, would be all that was necessary to break into – and change the content of – said sites.
Things were gradually getting worse for the Petersburg company. Many users decided straight off to change their hosting provider. That is, to tear up their contract with Valuehost and make a new deal with one of its competitors. But it is not as simple as that. Valuehost allows customers to exit their contract liabilities and take their DNS elsewhere only on payment (equivalent to 30 USD / 22 Euro) of a breach-of-contract fee. By way of a response to this, lawyers on the LawMix.ru site volunteered their services to help victims obtain their right to extricate themselves for free on the grounds of inferior quality of service.
In the view of the InfoWatch analytical center, the Petersburg company should have thought more seriously about protecting its database earlier. But, having allowed the leak to occur, it should not have attempted to prevent clients from leaving, or to have demanded money from them. As a result of the amateurish behavior of the management, this incident became known far and wide. However, the real problems, it would seem, are yet to kick in.
The story got underway on December 1st, when Kaspersky Labs published a warning about the mass infection of Valuehost sites with the Psyme Trojan. It began with a complaint from a visitor to www.5757.ru, which provides a popular SMS service. The installed Kaspersky Antivirus – as it should – prevented an attempted intrusion onto the computer, then information about the incident was relayed back to Kaspersky. And a good thing it was. Further investigation revealed the existence of 470 infected sites – all of which were clients of the hosting provider.
Psyme – it should be understood – is no mere nuisance virus. It is something much more serious. It is a pernicious program of the Trojan-Downloader class which, in effect, opens the gates of an infected computer to hackers. Using it, it is possible to generate other unpleasant results. These include: Turning the computer into a spam-generating zombie, using it as part of a distributed hacker attack, and removing information – including access codes to bank accounts.
It is clear that the mass infection of sites hosted by the same provider is only possible given criminals in possession of private company database information. In the view of InfoWatch experts, the criminals in question have either used the database which was on open sale on the Internet, or are themselves company insiders.
Denis Zenkin, InfoWatch’s Marketing Director says, “A leak of passwords and logins by itself casts doubt on company’s effectiveness. But the use of such stolen information to mass-infect sites has to put the whole future of Valuehost as a business in question, since not only are the company’s clients at risk, but also those who visit their sites. I think this is one of those leaks which will cost the company its entire business.”
