• United States



Do you allow RDP connections? Cybercrime service sells hacked Fortune 500 access

Oct 22, 20124 mins
Cisco SystemsCybercrimeData and Information Security

Once upon a time, the cybercrime underground was best seen through hidden Wiki. Nowadays, sites that offer illegal goods and services are much bolder about posting in forums and advertising their services in the open. Just the same, most of us don't go around looking for or infiltrating it as investigative security reporter Brian Krebs does. His latest report looks at a service that sells RDP access into Fortune 500 companies. Do you allow RDP connections?

Do you have a Windows computer currently in use or an old box that accepts Remote Desktop Protocol (RDP)? Most enterprises do allow RDP, so the client box can connect to a remote host computer. In fact, not only do Fortune 500 companies use RDP, but Brian Krebs recently reported on a cybercrime service that sells that RDP access for few dollars.

This investigative Krebs on Security report looked into, which advertises access to hacked RDP servers on cybercrime forums as “The whole world in one service.” It takes instant messaging to contact the service owner and $20 via the virtual currency WebMonkey to register. Krebs said that nearly 300,000 compromised systems have been pimped through dedicatexpress since it began in 2010, with 17,000 RDP computers available for rent right now. The cost to rent such a compromised box is based upon several factors, such as processor speed and the number of cores, upload and download speed, and the total uptime the hacked RDP server has been available.

Krebs wrote:

I made it about halfway through the list of companies in the Fortune 100 with names beginning in “C” when I found a hit: A hacked RDP server at Internet address space assigned to networking giant Cisco Systems Inc. The machine was a Windows Server 2003 system in San Jose, Calif., being sold for $4.55 (see screenshot below). You’ll never guess the credentials assigned to this box: Username: “Cisco,”; password: “Cisco”.

Cisco confirmed the hacked RDP box was part of its network, but called it a “bad lab machine.” Krebs said the Cisco server granted the buyer administrative rights, but “it had already been blacklisted by 10 out of 15 popular services that track malicious activity online, such as spam and malware hosting.” Yet Krebs said no worries if you rent a bad box because dedicatexpress says, “if you have any problems with the remote server you have just purchased, you will always be able to file a ticket with technical support and we will be happy to assist you.”

I always enjoy Krebs’ insight and investigative reporting into cybercrime. He even explains how this service pays cybercrook sellers a commission for compromised RDP computers. But how do you know what cyberscum to “trust”? Like many legal selling sites such as Amazon or eBay, sellers on dedicatexpress are given a seller rating which includes how many hacked RDP machines they have sold to the cybercrime site. These “top vendors” may state what a particular RDP server cannot be used for “such as online gambling, PayPal or dating scams,” Krebs explained.

Furthermore dedicatexpress will not accept RDP servers located in Russia, most likely because that is where it is located and the owners “not wish to antagonize Russian law enforcement officials.” Of course, as a Krebs on Security commenter pointed out, some of these machines are likely honeypots setup by law enforcement. Service Sells Access to Fortune 500 Firms is a good read, with screen captures to help illustrate how it works. Krebs continues to offer articles that heighten cybercrime awareness and gives glimpses of the dirty underbelly of cybercriminals.

Like this? Here’s more posts:
  • Time to disable Java AGAIN: 1 billion at risk from newest critical Java bug
  • Feds Warn of Zombie Apocalypse! Buy emergency kit, but you might be a terrorist if…
  • Senate report: Fusion centers don’t find terrorists, filled with ‘crap’ that violates privacy
  • Smartphone snoop: Even when phone sleeps, digital assistant always eavesdrops
  • Facebook Want Button: Collecting massive amounts of data about you has never been easier
  • Busted! Forensic expert who recovered lurid SMS warns: Phone texts don’t die, they hide
  • Deanonymizing You: I know who you are after 1 click online or a mobile call
  • Does Microsoft Oppose Verizon Spying? Verizon allegedly wants more control over WP8
  • Flame’s vicious sibling miniFlame malware, a cyber-espionage ‘surgical attack tool’
  • Surveillance State: From Inside Secret FBI Terrorist Screening Room to TrapWire Training
  • Social media surveillance helps the government read your mind

Follow me on Twitter @PrivacyFanatic

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.