Attacks/Breaches
12/5/2013
10:32 AM
50%
50%

2 Million Stolen Passwords Recovered

The stash includes purloined Facebook, Google, Twitter, and Yahoo access credentials. Researchers promise to help people who were affected.

Security researchers have recovered a hacker stash of approximately 2 million access credentials for multiple social media networks, webmail accounts, and other online services.

That disclosure came this week from Trustwave's SpiderLabs, which said it found the information after gaining access to the control panel of a single -- albeit rather large -- instance of a Pony botnet, built using version 1.9 of the botnet software. "With the source code of Pony leaked and in the wild, we continue to see new instances and forks of Pony 1.9," wrote SpiderLab researchers Daniel Chechik and Anat (Fox) Davidi in a blog post.

After gaining access to the Pony botnet's control panel, the researchers found that the botnet's controller -- a.k.a. herder -- had amassed approximately 3,000 remote desktop access credentials, 320,000 email account access credentials, and 41,000 FTP account credentials.

But the stolen credential mother lode was the botnet herder's collection of almost 1.6 million stolen website login credentials, which comprised 326,129 Facebook passwords (or 59% of all recovered stolen passwords), followed by 70,532 passwords for Google (13%), 59,549 for Yahoo (11%), 21,708 for Twitter (4%), and 8,490 LinkedIn (2%).

Also on the list were two Russian-language social networking sites, 9,321 passwords for odnoklassniki.ru (2%) and 6,867 for vk.com (1%), which suggested that many infected PCs were used by Russian language speakers. The bot herder is likely also a Russian speaker, since the Pony control panel's language preference was set to Russian.

[TechAmerica says current laws don't protect us from unreasonable search and seizure. See why it says Electronic Privacy Laws Need An Overhaul.]

The SpiderLabs researchers found that 7,978 of the recovered passwords -- or 1.4% of the haul -- were for payroll service ADP, thus demonstrating attackers' ongoing interest in such services. "Facebook accounts are a nice catch for cyber criminals, but payroll services accounts could actually have direct financial repercussions," they said.

Based on control panel information, researchers determined that the active zombie PCs -- or botnet nodes -- were predominantly located in the Netherlands (97% of machines). But compromised machines appeared to be located in more than 100 countries, including about 860 machines in the United States (0.08%) and 285 in Iran (0.03%). Still, the geolocation of the infected PCs would suggest that the botnet was engaged in a targeted attack against people in the Netherlands.

"Taking a closer look at the IP log files, however, revealed that most of the entries from [the Netherlands] IP range are in fact a single IP address that seems to have functioned as a gateway or reverse proxy between the infected machines and the command-and-control server, which resides in the Netherlands as well," the researchers said.

Using a gateway or reverse-proxy server, however, turns out to be a way for attackers to make their malicious infrastructure more resilient to would-be takedown attempts. "This technique of using a reverse proxy is commonly used by attackers in order to prevent the command-and-control server from being discovered and shut down -- outgoing traffic from an infected machine only shows a connection to the proxy server, which is easily replaceable in case it is taken down," according to the researchers.

(Source: Image courtesy of Flickr user david.nikonvscanon)
(Source: Image courtesy of Flickr user david.nikonvscanon)

SpiderLab's detailing of the recovered Pony botnet password horde has led to calls for the information to be made available. "How about providing a portal to search against the database to see if I -- or people in my company -- are impacted?" read one online comment. "Sharing it with services like shouldIchangemypassword.com? Emailing the victims?"

In response to those requests, the researchers promised they would "responsibly share some of this information with the community," once they figured out how. SpiderLab researcher Chechik tweeted: "We are [intending] to create a page, so users can check whether their account was compromised."

Knowing your enemy is the first step in guarding against him or her. In this Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, we examine the world of cybercriminals -- including their motives, resources and processes -- and recommend what enterprises should do to keep their data and computing systems safe in the face of an ever-growing and ever-more-sophisticated threat. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
12/5/2013 | 5:48:16 PM
Recovered the right term?
These passwords were detected - "recovery" implies getting the horse back in the barn.
mak63
50%
50%
mak63,
User Rank: Apprentice
12/5/2013 | 7:22:36 PM
website logins
We are [intending] to create a page, so users can check whether their account was compromised

Instead of creating a page with almost 1.6 million stolen website logins, isn't it easier to contact the companies involved (Google, FB, Yahoo, etc) so these companies can contact each affected person?

Mathew
50%
50%
Mathew,
User Rank: Apprentice
12/6/2013 | 8:23:14 AM
Re: website logins
Definitely, and to be fair, the company suggested it was working on a range of responses. I'd expect that if it hasn't done so already, it will feed the details to larger online service providers. But for stolen email and FTP credentials, that might not be feasible, if their numbers are too great?
chrisp114
50%
50%
chrisp114,
User Rank: Apprentice
12/5/2013 | 10:35:46 PM
Passwords are meaningless without privacy!
So what if your facebook account is hacked. Don't you know that facebook is already scanning your information and making it available to other businesses and government? Everyone should consider using privacy-based services such as Ravetree, DuckDuckGo, and HushMail.
Kristin Burnham
50%
50%
Kristin Burnham,
User Rank: Apprentice
12/6/2013 | 9:44:30 AM
Re: Passwords are meaningless without privacy!
Facebook reportedly alerted those users whose account information was stolen (and it probably wouldn't have been that difficult for a hacker gain access anyway: I read that most of the passwords were along the lines of "password" or "123456").
WKash
50%
50%
WKash,
User Rank: Apprentice
12/5/2013 | 11:05:31 PM
Passwords
Another reason why it's time we move beyond passwords to protect our privacy.

 
LetsTalkPaymnts
50%
50%
LetsTalkPaymnts,
User Rank: Apprentice
12/7/2013 | 3:11:48 AM
Fraud is growing
Even in other sectors like Payments fraud is creating issues http://letstalkpayments.com/fraudsters-make-hay-sun-shines-payment-system-attacks/
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6090
Published: 2015-04-27
Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) DataMappingEditorCommands, (2) DatastoreEditorCommands, and (3) IEGEditorCommands servlets in IBM Curam Social Program Management (SPM) 5.2 SP6 before EP6, 6.0 SP2 before EP26, 6.0.3 before 6.0.3.0 iFix8, 6.0.4 before 6.0.4.5 iFix...

CVE-2014-6092
Published: 2015-04-27
IBM Curam Social Program Management (SPM) 5.2 before SP6 EP6, 6.0 SP2 before EP26, 6.0.4 before 6.0.4.6, and 6.0.5 before 6.0.5.6 requires failed-login handling for web-service accounts to have the same lockout policy as for standard user accounts, which makes it easier for remote attackers to cause...

CVE-2015-0113
Published: 2015-04-27
The Jazz help system in IBM Rational Collaborative Lifecycle Management 4.0 through 5.0.2, Rational Quality Manager 4.0 through 4.0.7 and 5.0 through 5.0.2, Rational Team Concert 4.0 through 4.0.7 and 5.0 through 5.0.2, Rational Requirements Composer 4.0 through 4.0.7, Rational DOORS Next Generation...

CVE-2015-0174
Published: 2015-04-27
The SNMP implementation in IBM WebSphere Application Server (WAS) 8.5 before 8.5.5.5 does not properly handle configuration data, which allows remote authenticated users to obtain sensitive information via unspecified vectors.

CVE-2015-0175
Published: 2015-04-27
IBM WebSphere Application Server (WAS) 8.5 Liberty Profile before 8.5.5.5 does not properly implement authData elements, which allows remote authenticated users to gain privileges via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.