The discovery of some two million stolen online passwords this week prompted fresh warnings from security researchers to strengthen protection from hackers.
Web security is of paramount importance to most Web users, and every now and then, something occurs that reminds us of how the determination of a hacker can result dire consequences. In a report that does make for quite disconcerting reading, someone, using a keylogger, managed to obtain over 2 million passwords of the likes of Facebook, Gmail, Twitter, Yahoo, and LinkedIn.
Security outfit Trustwave made the discovery, with the attacker capitalizing on a keylogger based upon a variant of the Pony botnet controller — a malicious utility that recently cut hackers a break when its source code was leaked out into the wild.
We’ll start off with the final numbers, and then break it down:
~1,580,000 website login credentials stolen
~320,000 email account credentials stolen
~41,000 FTP account credentials stolen
~3,000 Remote Desktop credentials stolen
~3,000 Secure Shell account credentials stolen
The method for obtaining the passwords was incredibly simple. Having installed the keylogger on millions of machines spanning 92 countries across the world, it then simply made a record of logins and passwords as they were typed. With many of us logging in to our favorite email accounts like Gmail, as well as social hunts like Facebook and Twitter, many hundreds of thousands of passwords were stolen from users each, and although this wasn’t achieved through any of our favorite services, the folks of ADP, Facebook, LinkedIn, and Twitter have already alerted affected users and reset their passwords for them.
Looking at the domains from which passwords were stolen:
For once, the response appears to have been swift and effective, and so if, in the likely event that you do use one of the aforementioned services, you’re worried, the situation seems now to be under control.
Nevertheless, Pony botnet controller managed to amass a whopping 1.5 million website logins, one-third of a million email account credentials, and a whole lot more, including the vital info on FTP and remote desktop accounts.
A quick glance at the geo-location statistics above would make one think that this attack was a targeted attack on the Netherlands. Taking a closer look at the IP log files, however, revealed that most of the entries from NL IP range are in fact a single IP address that seems to have functioned as a gateway or reverse proxy between the infected machines and the Command-and-Control server, which resides in the Netherlands as well. This technique of using a reverse proxy is commonly used by attackers in order to prevent the Command-and-Control server from being discovered and shut down–outgoing traffic from an infected machine only shows a connection to the proxy server, which is easily replaceable in case it is taken down.
Top list Passwords
Oh, and if you’re going to create a password, make sure it’s something that cannot be easily guessed. The big companies have worked hard to prevent users from typing in simple, effortlessly compromise-able secret words, and given that Trustwave discovered that some of the most common passwords compromised here included “123456789,” and “password,” it’s almost as if some people want their accounts to be compromised.
Unfortunately, the most commonly used passwords were far from what your CISO would like to see, here’s a small taste:
In our analysis, passwords that use all four character types and are longer than 8 characters are considered “Excellent”, whereas passwords with four or less characters of only one type are considered “Terrible”. Unfortunately, there were more terrible passwords than excellent ones, more bad passwords than good, and the majority, as usual, is somewhere in between in the Medium category.
Thanks to Blog