02:16 PM
Connect Directly
Repost This

2 Million Stolen Accounts From Facebook, Twitter, Google, ADP, Found On Crime Server

'Pony' botnet server discovered harboring massive trove of user credentials for email, FTP, remote desktop, and Secure Shell accounts

Some 2 million pilfered user accounts mainly from Facebook, Yahoo, Google, and Twitter were found on a server hosted in the Netherlands.

The stolen accounts include 320,000 email account credentials, 41,000 FTP account credentials, 3,000 remote desktop credentials, and 3,000 Secure Shell (SSH) account credentials, according to Trustwave researchers, who discovered the booty. Trustwave says the stolen information, which was stolen from more than 93,000 sites, came courtesy of the Pony botnet.

"The Pony malware is used to steal information: stolen credentials for websites, email accounts, FTP accounts, [and] anything it can get its hands on. In this case, attackers planted the malware on users’ machines around the world and were able to steal credentials for websites such as Facebook, Twitter, Yahoo, and even the payroll provider ADP," says John Miller, security research manager at Trustwave.

It's unclear just how the users were initially infected, but Miller says Pony's typical M.O. is malicious spam with infected attachments or URLs. "There is no actual keylogging, though it does monitor HTTP traffic looking for requests that look like logins to websites," he says. "The [stolen] passwords are in plaintext because it steals them from configuration files -- which must be readable in order to use them -- and during login transactions with Web services."

The stolen ADP credentials are the most chilling find, however. "Eight thousand credentials from ADP were stolen and, unlike the intrusion on the others sites, this could actually have serious financial repercussions. We informed ADP, but we are not sure what their response policy entails," Miller says.

Tom Cross, director of security research at Lancope, says while many of the stolen accounts found on the Pony server were from social networks like Facebook, Twitter, and LinkedIn, the attackers may have been after other more lucrative logins and passwords. "Attackers usually seek to compromise social network accounts because they provide a mechanism for further spreading their malware," Cross says.

"In this case, however, the attackers appear to have collected some login information that has a direct financial value to a criminal. Logins for payroll service provider ADP could provide attackers with access to sensitive personal information that could be used to commit fraud. Logins for FTP, RDP, and SSH services provide the attacker with control over servers on the Internet, which may also contain sensitive information," he says.

Trustwave researchers were unable to pinpoint the location of the victims because the attackers used a reverse-proxy method to mask the command-and-control server. "The reverse proxy prevents us from identifying where the victims were located. The fact that the controller was hosted on a rented server in the Netherlands prevents us from confirming where the attackers are," Miller says. He says he can't confirm whether it was a Russian cybercrime gang behind the attack, either.

Trustwave posted a blog with more details here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web