Quick Hits

2 Million Stolen Accounts From Facebook, Twitter, Google, ADP, Found On Crime Server

'Pony' botnet server discovered harboring massive trove of user credentials for email, FTP, remote desktop, and Secure Shell accounts
Some 2 million pilfered user accounts mainly from Facebook, Yahoo, Google, and Twitter were found on a server hosted in the Netherlands.

The stolen accounts include 320,000 email account credentials, 41,000 FTP account credentials, 3,000 remote desktop credentials, and 3,000 Secure Shell (SSH) account credentials, according to Trustwave researchers, who discovered the booty. Trustwave says the stolen information, which was stolen from more than 93,000 sites, came courtesy of the Pony botnet.

"The Pony malware is used to steal information: stolen credentials for websites, email accounts, FTP accounts, [and] anything it can get its hands on. In this case, attackers planted the malware on users’ machines around the world and were able to steal credentials for websites such as Facebook, Twitter, Yahoo, and even the payroll provider ADP," says John Miller, security research manager at Trustwave.

It's unclear just how the users were initially infected, but Miller says Pony's typical M.O. is malicious spam with infected attachments or URLs. "There is no actual keylogging, though it does monitor HTTP traffic looking for requests that look like logins to websites," he says. "The [stolen] passwords are in plaintext because it steals them from configuration files -- which must be readable in order to use them -- and during login transactions with Web services."

The stolen ADP credentials are the most chilling find, however. "Eight thousand credentials from ADP were stolen and, unlike the intrusion on the others sites, this could actually have serious financial repercussions. We informed ADP, but we are not sure what their response policy entails," Miller says.

Tom Cross, director of security research at Lancope, says while many of the stolen accounts found on the Pony server were from social networks like Facebook, Twitter, and LinkedIn, the attackers may have been after other more lucrative logins and passwords. "Attackers usually seek to compromise social network accounts because they provide a mechanism for further spreading their malware," Cross says.

"In this case, however, the attackers appear to have collected some login information that has a direct financial value to a criminal. Logins for payroll service provider ADP could provide attackers with access to sensitive personal information that could be used to commit fraud. Logins for FTP, RDP, and SSH services provide the attacker with control over servers on the Internet, which may also contain sensitive information," he says.

Trustwave researchers were unable to pinpoint the location of the victims because the attackers used a reverse-proxy method to mask the command-and-control server. "The reverse proxy prevents us from identifying where the victims were located. The fact that the controller was hosted on a rented server in the Netherlands prevents us from confirming where the attackers are," Miller says. He says he can't confirm whether it was a Russian cybercrime gang behind the attack, either.

Trustwave posted a blog with more details here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.