02:16 PM
Connect Directly
Repost This

2 Million Stolen Accounts From Facebook, Twitter, Google, ADP, Found On Crime Server

'Pony' botnet server discovered harboring massive trove of user credentials for email, FTP, remote desktop, and Secure Shell accounts

Some 2 million pilfered user accounts mainly from Facebook, Yahoo, Google, and Twitter were found on a server hosted in the Netherlands.

The stolen accounts include 320,000 email account credentials, 41,000 FTP account credentials, 3,000 remote desktop credentials, and 3,000 Secure Shell (SSH) account credentials, according to Trustwave researchers, who discovered the booty. Trustwave says the stolen information, which was stolen from more than 93,000 sites, came courtesy of the Pony botnet.

"The Pony malware is used to steal information: stolen credentials for websites, email accounts, FTP accounts, [and] anything it can get its hands on. In this case, attackers planted the malware on users’ machines around the world and were able to steal credentials for websites such as Facebook, Twitter, Yahoo, and even the payroll provider ADP," says John Miller, security research manager at Trustwave.

It's unclear just how the users were initially infected, but Miller says Pony's typical M.O. is malicious spam with infected attachments or URLs. "There is no actual keylogging, though it does monitor HTTP traffic looking for requests that look like logins to websites," he says. "The [stolen] passwords are in plaintext because it steals them from configuration files -- which must be readable in order to use them -- and during login transactions with Web services."

The stolen ADP credentials are the most chilling find, however. "Eight thousand credentials from ADP were stolen and, unlike the intrusion on the others sites, this could actually have serious financial repercussions. We informed ADP, but we are not sure what their response policy entails," Miller says.

Tom Cross, director of security research at Lancope, says while many of the stolen accounts found on the Pony server were from social networks like Facebook, Twitter, and LinkedIn, the attackers may have been after other more lucrative logins and passwords. "Attackers usually seek to compromise social network accounts because they provide a mechanism for further spreading their malware," Cross says.

"In this case, however, the attackers appear to have collected some login information that has a direct financial value to a criminal. Logins for payroll service provider ADP could provide attackers with access to sensitive personal information that could be used to commit fraud. Logins for FTP, RDP, and SSH services provide the attacker with control over servers on the Internet, which may also contain sensitive information," he says.

Trustwave researchers were unable to pinpoint the location of the victims because the attackers used a reverse-proxy method to mask the command-and-control server. "The reverse proxy prevents us from identifying where the victims were located. The fact that the controller was hosted on a rented server in the Netherlands prevents us from confirming where the attackers are," Miller says. He says he can't confirm whether it was a Russian cybercrime gang behind the attack, either.

Trustwave posted a blog with more details here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-04-16
The init script in kbd, possibly 1.14.1 and earlier, allows local users to overwrite arbitrary files via a symlink attack on /dev/shm/

Published: 2014-04-16
SUSE Lifecycle Management Server before 1.1 uses world readable postgres credentials, which allows local users to obtain sensitive information via unspecified vectors.

Published: 2014-04-16
kiwi before 4.98.08, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands via shell metacharacters in the path of an overlay file, related to chown.

Published: 2014-04-16
The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.

Published: 2014-04-16
kiwi before 4.85.1, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands as demonstrated by "double quotes in kiwi_oemtitle of .profile."

Best of the Web