Hackers’ server with over 2 million stolen passwords found
Posted on 04 December 2013.
Every now and then, security researchers come across a server used by hackers to store stolen account credentials. The latest instance of this has been flagged by Daniel Chechik and Anat (Fox) Davidi of Trustwave’s SpiderLabs, who have discovered a stash login credentials for nearly two million online accounts.

More that 75 percent of these are website login credentials (Facebook, Yahoo, Google, Twitter, LinkedIn, vKontakte, etc.), followed by some 320,000 email account ones, 41,000 FTP, 3,000 Remote Desktop, and 3,000 Secure Shell account credentials.

“Another interesting item on the list is the payroll service provider adp.com. It is only natural to have such domains in the mix, but it is surprising to see it ranked #9 on the top domains list. Facebook accounts are a nice catch for cyber criminals, but payroll services accounts could actually have direct financial repercussions,” the researchers pointed out.

The server in question hosts a botnet controller app dubbed Pony.

At first glance, an overwhelming number of these account credentials seem to have been collected from machines on IP addresses in The Netherlands, followed by couple of thousands combinations from Thailand, Germany and Singapore, and even less from a wide variety of countries around the globe.

But, a closer look at the IP log files showed that “most of the entries from NL IP range are in fact a single IP address that seems to have functioned as a gateway or reverse proxy between the infected machines and the Command-and-Control server, which resides in the Netherlands as well.”

“This technique of using a reverse proxy is commonly used by attackers in order to prevent the Command-and-Control server from being discovered and shut down--outgoing traffic from an infected machine only shows a connection to the proxy server, which is easily replaceable in case it is taken down,” the researchers explained, adding that, unfortunately, an ad-hoc analysis of the stolen passwords revealed what be already know: that many, many users keep using easy-to-guess passwords such as “123456”, “password”, “admin”, “111111”, and similar.

Compared to similar analysis from seven years ago, they also discovered that, yes, people are choosing longer passwords (but not necessarily more complex ones), but a greater percent uses the aforementioned “easy” passwords. In fact, that percentage has almost tripled.


Chrome extension thwarts user profiling based on typing behavior

Infosec consultant Paul Moore came up with a working solution to thwart a type of behavioral profiling. The result is a Chrome extension called Keyboard Privacy, which prevents profiling of users by the way they type by randomizing the rate at which characters reach the DOM.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Jul 29th