Taking a look at one of the thousands of malware samples we are processing everyday, we have found a Trojan that was looking for e-mail addresses, apparently nothing special. Unlike other Trojans, it was not looking for e-mail addresses in every location, but only in the valid contact list. All of them were saved in a text file and uploaded via FTP to the hacker’s server. The guy was fool enough to leave the ftp credentials in plain text, so we could access effortlessly.

We accessed the server, which was running a RedHat Linux distribution. Once there, we could see a few thousands of stolen e-mail addresses, plus some phishing pages belonging to different banks from Italy, Brazil, and some other countries:

The server contained some scripts to send out phishing e-mails to the stolen addresses, as well as to send the Trojan. So it was an easy task: send out the Trojan, wait for stolen e-mail data to come, send out phishing attacks and wait for the stolen credentials. And as I have mentioned before, this is just one of the thousands of malware samples we deal with everyday. Be careful.