Hackers’ server with over 2 million stolen passwords found
Posted on 04 December 2013.
Every now and then, security researchers come across a server used by hackers to store stolen account credentials. The latest instance of this has been flagged by Daniel Chechik and Anat (Fox) Davidi of Trustwave’s SpiderLabs, who have discovered a stash login credentials for nearly two million online accounts.

More that 75 percent of these are website login credentials (Facebook, Yahoo, Google, Twitter, LinkedIn, vKontakte, etc.), followed by some 320,000 email account ones, 41,000 FTP, 3,000 Remote Desktop, and 3,000 Secure Shell account credentials.

“Another interesting item on the list is the payroll service provider adp.com. It is only natural to have such domains in the mix, but it is surprising to see it ranked #9 on the top domains list. Facebook accounts are a nice catch for cyber criminals, but payroll services accounts could actually have direct financial repercussions,” the researchers pointed out.

The server in question hosts a botnet controller app dubbed Pony.

At first glance, an overwhelming number of these account credentials seem to have been collected from machines on IP addresses in The Netherlands, followed by couple of thousands combinations from Thailand, Germany and Singapore, and even less from a wide variety of countries around the globe.

But, a closer look at the IP log files showed that “most of the entries from NL IP range are in fact a single IP address that seems to have functioned as a gateway or reverse proxy between the infected machines and the Command-and-Control server, which resides in the Netherlands as well.”

“This technique of using a reverse proxy is commonly used by attackers in order to prevent the Command-and-Control server from being discovered and shut down--outgoing traffic from an infected machine only shows a connection to the proxy server, which is easily replaceable in case it is taken down,” the researchers explained, adding that, unfortunately, an ad-hoc analysis of the stolen passwords revealed what be already know: that many, many users keep using easy-to-guess passwords such as “123456”, “password”, “admin”, “111111”, and similar.

Compared to similar analysis from seven years ago, they also discovered that, yes, people are choosing longer passwords (but not necessarily more complex ones), but a greater percent uses the aforementioned “easy” passwords. In fact, that percentage has almost tripled.


eBook: Cybersecurity for Dummies

Posted on 16 December 2014.  |  APTs have changed the world of enterprise security and how networks and organizations are attacked. These threats, and the cybercriminals behind them, are experts at remaining hidden from traditional security while exhibiting an intelligence, resiliency, and patience that has never been seen before.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Dec 18th