Hackers’ server with over 2 million stolen passwords found
Posted on 04 December 2013.
Every now and then, security researchers come across a server used by hackers to store stolen account credentials. The latest instance of this has been flagged by Daniel Chechik and Anat (Fox) Davidi of Trustwave’s SpiderLabs, who have discovered a stash login credentials for nearly two million online accounts.

More that 75 percent of these are website login credentials (Facebook, Yahoo, Google, Twitter, LinkedIn, vKontakte, etc.), followed by some 320,000 email account ones, 41,000 FTP, 3,000 Remote Desktop, and 3,000 Secure Shell account credentials.

“Another interesting item on the list is the payroll service provider adp.com. It is only natural to have such domains in the mix, but it is surprising to see it ranked #9 on the top domains list. Facebook accounts are a nice catch for cyber criminals, but payroll services accounts could actually have direct financial repercussions,” the researchers pointed out.

The server in question hosts a botnet controller app dubbed Pony.

At first glance, an overwhelming number of these account credentials seem to have been collected from machines on IP addresses in The Netherlands, followed by couple of thousands combinations from Thailand, Germany and Singapore, and even less from a wide variety of countries around the globe.

But, a closer look at the IP log files showed that “most of the entries from NL IP range are in fact a single IP address that seems to have functioned as a gateway or reverse proxy between the infected machines and the Command-and-Control server, which resides in the Netherlands as well.”

“This technique of using a reverse proxy is commonly used by attackers in order to prevent the Command-and-Control server from being discovered and shut down--outgoing traffic from an infected machine only shows a connection to the proxy server, which is easily replaceable in case it is taken down,” the researchers explained, adding that, unfortunately, an ad-hoc analysis of the stolen passwords revealed what be already know: that many, many users keep using easy-to-guess passwords such as “123456”, “password”, “admin”, “111111”, and similar.

Compared to similar analysis from seven years ago, they also discovered that, yes, people are choosing longer passwords (but not necessarily more complex ones), but a greater percent uses the aforementioned “easy” passwords. In fact, that percentage has almost tripled.


101,000 US taxpayers affected by automated attack on IRS app

The IRS has revealed more details about an attack it suffered last month, mounted by unknown individuals with the aim to file fraudulent tax returns and funnel the returned money to their own bank accounts.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Feb 10th