Some organizations are apparently still using the venerable FTP protocol for moving files around. Credentials for more than 7,000 FTP servers are being traded between nefarious types and used to break into servers including those of The New York Times. The access has been used to plant malicious PHP files and HTML in a bid to backdoor servers and redirect people to malicious sites.
According to security firm Hold Security, the FTP servers and credentials range from small personal sites to large multinational corporations. Where the list came from, and who put it together, is unknown.
The credentials themselves are a mix of anonymous and default accounts, with passwords ranging from simple to complex. This is suggestive that some, at least, have been acquired through phishing or client-side malware rather than guessing or brute-force password cracking. Given that FTP passes the credentials unencrypted, there are many exciting ways that the information could have been taken: passive sniffing of traffic at a café hotspot would do the trick, for example. This is one of the reasons that use of the protocol has largely fallen out of favor.
For some of the victim organizations, FTP is a legacy relic. UNICEF was among those with leaked credentials. A spokesperson for the humanitarian organization told IDG that the FTP server was part of a system that was no longer being used and has accordingly been disabled.