Attacks/Breaches
12/5/2013
10:32 AM
50%
50%

2 Million Stolen Passwords Recovered

The stash includes purloined Facebook, Google, Twitter, and Yahoo access credentials. Researchers promise to help people who were affected.

Security researchers have recovered a hacker stash of approximately 2 million access credentials for multiple social media networks, webmail accounts, and other online services.

That disclosure came this week from Trustwave's SpiderLabs, which said it found the information after gaining access to the control panel of a single -- albeit rather large -- instance of a Pony botnet, built using version 1.9 of the botnet software. "With the source code of Pony leaked and in the wild, we continue to see new instances and forks of Pony 1.9," wrote SpiderLab researchers Daniel Chechik and Anat (Fox) Davidi in a blog post.

After gaining access to the Pony botnet's control panel, the researchers found that the botnet's controller -- a.k.a. herder -- had amassed approximately 3,000 remote desktop access credentials, 320,000 email account access credentials, and 41,000 FTP account credentials.

But the stolen credential mother lode was the botnet herder's collection of almost 1.6 million stolen website login credentials, which comprised 326,129 Facebook passwords (or 59% of all recovered stolen passwords), followed by 70,532 passwords for Google (13%), 59,549 for Yahoo (11%), 21,708 for Twitter (4%), and 8,490 LinkedIn (2%).

Also on the list were two Russian-language social networking sites, 9,321 passwords for odnoklassniki.ru (2%) and 6,867 for vk.com (1%), which suggested that many infected PCs were used by Russian language speakers. The bot herder is likely also a Russian speaker, since the Pony control panel's language preference was set to Russian.

[TechAmerica says current laws don't protect us from unreasonable search and seizure. See why it says Electronic Privacy Laws Need An Overhaul.]

The SpiderLabs researchers found that 7,978 of the recovered passwords -- or 1.4% of the haul -- were for payroll service ADP, thus demonstrating attackers' ongoing interest in such services. "Facebook accounts are a nice catch for cyber criminals, but payroll services accounts could actually have direct financial repercussions," they said.

Based on control panel information, researchers determined that the active zombie PCs -- or botnet nodes -- were predominantly located in the Netherlands (97% of machines). But compromised machines appeared to be located in more than 100 countries, including about 860 machines in the United States (0.08%) and 285 in Iran (0.03%). Still, the geolocation of the infected PCs would suggest that the botnet was engaged in a targeted attack against people in the Netherlands.

"Taking a closer look at the IP log files, however, revealed that most of the entries from [the Netherlands] IP range are in fact a single IP address that seems to have functioned as a gateway or reverse proxy between the infected machines and the command-and-control server, which resides in the Netherlands as well," the researchers said.

Using a gateway or reverse-proxy server, however, turns out to be a way for attackers to make their malicious infrastructure more resilient to would-be takedown attempts. "This technique of using a reverse proxy is commonly used by attackers in order to prevent the command-and-control server from being discovered and shut down -- outgoing traffic from an infected machine only shows a connection to the proxy server, which is easily replaceable in case it is taken down," according to the researchers.

(Source: Image courtesy of Flickr user david.nikonvscanon)
(Source: Image courtesy of Flickr user david.nikonvscanon)

SpiderLab's detailing of the recovered Pony botnet password horde has led to calls for the information to be made available. "How about providing a portal to search against the database to see if I -- or people in my company -- are impacted?" read one online comment. "Sharing it with services like shouldIchangemypassword.com? Emailing the victims?"

In response to those requests, the researchers promised they would "responsibly share some of this information with the community," once they figured out how. SpiderLab researcher Chechik tweeted: "We are [intending] to create a page, so users can check whether their account was compromised."

Knowing your enemy is the first step in guarding against him or her. In this Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, we examine the world of cybercriminals -- including their motives, resources and processes -- and recommend what enterprises should do to keep their data and computing systems safe in the face of an ever-growing and ever-more-sophisticated threat. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
LetsTalkPaymnts
50%
50%
LetsTalkPaymnts,
User Rank: Apprentice
12/7/2013 | 3:11:48 AM
Fraud is growing
Even in other sectors like Payments fraud is creating issues http://letstalkpayments.com/fraudsters-make-hay-sun-shines-payment-system-attacks/
Kristin Burnham
50%
50%
Kristin Burnham,
User Rank: Apprentice
12/6/2013 | 9:44:30 AM
Re: Passwords are meaningless without privacy!
Facebook reportedly alerted those users whose account information was stolen (and it probably wouldn't have been that difficult for a hacker gain access anyway: I read that most of the passwords were along the lines of "password" or "123456").
Mathew
50%
50%
Mathew,
User Rank: Apprentice
12/6/2013 | 8:23:14 AM
Re: website logins
Definitely, and to be fair, the company suggested it was working on a range of responses. I'd expect that if it hasn't done so already, it will feed the details to larger online service providers. But for stolen email and FTP credentials, that might not be feasible, if their numbers are too great?
WKash
50%
50%
WKash,
User Rank: Apprentice
12/5/2013 | 11:05:31 PM
Passwords
Another reason why it's time we move beyond passwords to protect our privacy.

 
chrisp114
50%
50%
chrisp114,
User Rank: Apprentice
12/5/2013 | 10:35:46 PM
Passwords are meaningless without privacy!
So what if your facebook account is hacked. Don't you know that facebook is already scanning your information and making it available to other businesses and government? Everyone should consider using privacy-based services such as Ravetree, DuckDuckGo, and HushMail.
mak63
50%
50%
mak63,
User Rank: Apprentice
12/5/2013 | 7:22:36 PM
website logins
We are [intending] to create a page, so users can check whether their account was compromised

Instead of creating a page with almost 1.6 million stolen website logins, isn't it easier to contact the companies involved (Google, FB, Yahoo, etc) so these companies can contact each affected person?

Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
12/5/2013 | 5:48:16 PM
Recovered the right term?
These passwords were detected - "recovery" implies getting the horse back in the barn.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5208
Published: 2014-12-22
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbit...

CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8896
Published: 2014-12-22
The Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 allows remote authenticated users to modify ...

CVE-2014-8897
Published: 2014-12-22
Cross-site scripting (XSS) vulnerability in the Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 ...

CVE-2014-8898
Published: 2014-12-22
Cross-site scripting (XSS) vulnerability in the Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.