Online data thieves have developed an Internet service to allow clients to tap into the Web sites of major companies and government agencies and use the sites as a way to launch malicious code, a security firm said this week.

On Wednesday, Web security firm Finjan published a report on a underground service known as FTP-Toolz*pack that allows its users to publish code on the compromised Web sites of companies and government agencies whose file-server credentials have been leaked. In total, Finjan found more than 8,700 stolen credentials, at least a hundred of which belonged to companies whose Web sites ranked in the top 500, according to Alexa.com.

Using the service, fraudsters and would-be bot masters can upload an iframe attack or other code onto the targeted Web server. Visitors to the legitimate Web site could then be compromised by the malicious code.

"We have seen the commercialization of data, (and) the commercialization of malware," said Yuval Ben-Itzhak, chief technology officer for Finjan. "Now, this is the last piece in the puzzle -- it shows the commercialization of compromised servers."

Online criminals have increasingly refined the user-friendliness of their malicious software and Web services. In 2006, a group of three programmers created the MPack infection kit and started selling it to online criminals intent on gaining control of computers by infecting them with malicious software. The infection kit sold for as much as $1,000 and the authors claimed it came with a year of support. The Russian Business Network, which has moved its servers around to prevent shutdown, has served the criminal elements of the Internet, providing hosting services for everything from exploit code to child pornography.

About 30 percent of the file transfer protocol (FTP) accounts available on the FTP-Toolz*pack identified by Finjan are servers in the United States. Another 15 percent are based in Russia, according to Finjan's report.

The tool, which is at least a year old, was described by antivirus firm Panda Software in June 2007.

If you have tips or insights on this topic, please contact SecurityFocus.