Blog article
See all stories »

ZeusiLeaks Archives File 001: The ex-Agent

OK folks, quick recap: if you think WikiLeaks is the largest leak of data the world has seen, think again. In fact, think two orders of magnitude bigger. Who needs a quarter of a million diplomatic cables, when we have the Zeus Trojan, most popular crimeware in the universe, sitting on millions of personal, corporate and government PCs stealing data 24 by 7?

The information stolen by Zeus, SpyEye and other Trojans is far more interesting. If you’re a consumer, it’s shocking to see what sort of data piles up in the Trojan mothership. If you’re a Security professional, it’s nerve wrecking to see what sort of corporate data siphons off to drop sites half across the globe.



So here comes the first release from the ZeusiLeaks Archives!





Note: all findings from the Dark Cloud of Cybercrime relate to information stolen by various Trojans, and will follow some basic rules. First, I won’t mention specific company or website names. It’s never the website’s fault that one of their users picked up a nasty Trojan. I’ll also refrain from mentioning corporation names when the leak comes from employee PCs. It’s pointless to point any fingers: RSA research found that 88% of Fortune 500 companies have employees infected with Zeus. We’re all in the same boat. As for individual names, I’ll change them to protect the innocent. Finally, in every archive file release I’ll focus on just one or two examples. Gradual release is better than just flooding you all with leaks, right?


We’ll start with some light reading. It relates to a popular online dating site in the US that promises to magically match you with the perfect date. Like every other ZeusiLeak, this one does not originate from a breach of the site itself, but rather a local compromise of one of its users. Let’s call him Josh.

Josh is a lawyer; you can see that from his user name, which is in fact an email belonging to a southern state’s bar of lawyers. The name of the infected PC is Josh_FrontDesk, and the communication comes from a private residence IP address. This suggests it’s his office laptop, used at home. That Josh uses the office laptop for private communications in online dating sites is not very surprising: many consumers believe that as long as they use their laptop outside the corporate network, they can do whatever they like, and their privacy will always remain intact. They’ll refrain from going to these sites once connected remotely via VPN; but most of the times they aren’t connected, and use the corporate resource for private stuff.

Like sending highly personal questions in an online dating service. This particular website encourages you to remove the Unknown Factor that goes with first time acquaintances by asking some questions before you actually set up a date.

Josh asked a few, but the first one stands out:

“As a former [government agency name here] agent, is there anything in your past I should know about? Anything you would hide from me?”


Hmmmm… Well, I don’t know. Maybe it IS a good idea to ask ahead. I mean, who knows, maybe the lady who will show up on the date has been recruited by the KGB at the age of six. Or maybe she’s an extraterrestrial being operating on Earth in disguise. It reminds me of these Visa forms non-Americans have to fill when entering the US: are you part of an organized crime group? Sure I am. Have you been involved in terrorist activities against US citizens? Er… let me think… You know what, I’ll get back to you on this one.

OK, so the guy is an ex-agent. He just wants to check out the ground before walking into a date with, say, an Al Qaeda spy. It’s a good best practice, no doubt about that.

Anyway, there’s so much insight that you can learn from just this single ZeusiLeak. Insights about consumers, about employees, about Trojans, about basic security training, about privacy… But that’s only the light reading, as I said. So stay tuned.


Over the years we’ve uncovered stolen credentials from many public sector employees infected with the Sinowal Trojan. We share that with the right authorities. Whether you’re an assistant US attorney in the East Coast or a district judge in Australia, Sinowal isn’t really interested in your legal work or your government files; it puts your bank account passwords, credit card details and social security number in a nice table, and throws all your government access credentials and classified forms you’ve submitted in a big pile of digital garbage that, as of now, no one bothers sifting through. Even if they do, they look for other things. Corporate data – even public sector data – is difficult to monetize, and there are enough low hanging fruits in the terabytes of data that should get first priority when it comes to organized crime. But the thing is, all this data keeps piling up. And sooner or later the people who have the data will find the people who can use it.

Think about that while you’re browsing through the next WikiLeaks cable.


Comments: (0)

Uri Rivner

Uri Rivner

CEO and Co-Founder

Refine Intelligence

Member since

14 Apr 2008


Tel Aviv

Blog posts




This post is from a series of posts in the group:

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

See all

Now hiring