Security

2 million stolen passwords recovered

by Mathew J Schwartz, InformationWeek, December 6, 2013

The stash includes purloined Facebook, Google, Twitter, and Yahoo access credentials. Researchers promise to help people who were affected

Security researchers have recovered a hacker stash of approximately 2 million access credentials for multiple social media networks, webmail accounts, and other online services.

That disclosure came this week from Trustwave's SpiderLabs, which said it found the information after gaining access to the control panel of a single -- albeit rather large -- instance of a Pony botnet, built using version 1.9 of the botnet software. "With the source code of Pony leaked and in the wild, we continue to see new instances and forks of Pony 1.9," wrote SpiderLab researchers Daniel Chechik and Anat (Fox) Davidi in a blog post.

After gaining access to the Pony botnet's control panel, the researchers found that the botnet's controller -- a.k.a. herder -- had amassed approximately 3,000 remote desktop access credentials, 320,000 email account access credentials, and 41,000 FTP account credentials.

But the stolen credential mother lode was the botnet herder's collection of almost 1.6 million stolen website login credentials, which comprised 326,129 Facebook passwords (or 59 percent of all recovered stolen passwords), followed by 70,532 passwords for Google (13 percent), 59,549 for Yahoo (11 percent), 21,708 for Twitter (4 percent), and 8,490 LinkedIn (2 percent).

Also on the list were two Russian-language social networking sites, 9,321 passwords for odnoklassniki.ru (2 percent) and 6,867 for vk.com (1 percent), which suggested that many infected PCs were used by Russian language speakers. The bot herder is likely also a Russian speaker, since the Pony control panel's language preference was set to Russian.

The SpiderLabs researchers found that 7,978 of the recovered passwords -- or 1.4 percent of the haul -- were for payroll service ADP, thus demonstrating attackers' ongoing interest in such services. "Facebook accounts are a nice catch for cyber criminals, but payroll services accounts could actually have direct financial repercussions," they said.

Based on control panel information, researchers determined that the active zombie PCs -- or botnet nodes -- were predominantly located in the Netherlands (97 percent of machines). But compromised machines appeared to be located in more than 100 countries, including about 860 machines in the United States (0.08 percent) and 285 in Iran (0.03 percent). Still, the geolocation of the infected PCs would suggest that the botnet was engaged in a targeted attack against people in the Netherlands.

"Taking a closer look at the IP log files, however, revealed that most of the entries from [the Netherlands] IP range are in fact a single IP address that seems to have functioned as a gateway or reverse proxy between the infected machines and the command-and-control server, which resides in the Netherlands as well," the researchers said.

Using a gateway or reverse-proxy server, however, turns out to be a way for attackers to make their malicious infrastructure more resilient to would-be takedown attempts. "This technique of using a reverse proxy is commonly used by attackers in order to prevent the command-and-control server from being discovered and shut down -- outgoing traffic from an infected machine only shows a connection to the proxy server, which is easily replaceable in case it is taken down," according to the researchers.

SpiderLab's detailing of the recovered Pony botnet password horde has led to calls for the information to be made available. "How about providing a portal to search against the database to see if I -- or people in my company -- are impacted?" read one online comment. "Sharing it with services like shouldIchangemypassword.com? Emailing the victims?"

In response to those requests, the researchers promised they would "responsibly share some of this information with the community," once they figured out how. SpiderLab researcher Chechik tweeted: "We are [intending] to create a page, so users can check whether their account was compromised."

 

 

About Author

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek USA information security reporter.


comments powered by Disqus

Subscribe for Newsletter

Stay connected to the best business technology content every week. Subscribe to our daily newsletter now!

Slide Shows

Upcoming Webcast

Business Models in the Black Market

Join RSA for this upcoming webcast as we take a deep dive into the latest business models in the black market. By attending, you will learn about: The latest cybercrime training services being offered to new fraudsters, The alliances being formed across various underground forums and its impact New economic models being applied for payments and cashout among cybercriminals Speaker: Eli Marcus Senior Writer, Fraud Action Knowledge Delivery team, RSA Date & Time: July 31, 2014, 3:00pm India Time