December 5, 2013
Pony Botnet Steals Two Million Passwords From Social Network Users
[ Watch the Video: Malicious Botnet Ripped Of Millions Of Passwords ]
Enid Burns for redOrbit.com - Your Universe Online
The finding included more than two million login credentials gleaned from the Pony Botnet Controller. In the post, Trustwave's Daniel Chechik included details and supporting graphics that quantify how many login credentials were exposed.
The Netherlands-based server posted that it had credentials for 318,121 Facebook passwords; 59,549 Yahoo! logins, and 54,437 Google accounts. Additional groupings of compromised accounts included Twitter (21,708 passwords); and LinkedIn (8,490). The site also listed Russian language sites VKontakte and Odnoklassniki.
"You can also spot the notable presence of vk.com and odnoklassniki.ru, two social network websites aimed at Russian-speaking audiences, which probably indicates that a decent portion of the victims comprised [sic] were Russian speakers. Another interesting item on the list is the payroll service provider adp.com. It is only natural to have such domains in the mix, but it is surprising to see it ranked #9 on the top domains list. Facebook accounts are a nice catch for cyber criminals, but payroll services accounts could actually have direct financial repercussions," the blog post said.
Passwords and login credentials were revealed by computers running botnet software, a malicious software that connects to a network to reveal keystrokes and other details without the user's knowledge. Criminal gangs often use botnets to steal large amounts of personal data that can be sold to other criminal gangs or held at ransom, BBC News reports.
It was unclear exactly which kind of malware infected victims' computers and sent information to the command-and-control server, PC World reports. The source code for the control panel software, called "Pony," was leaked at some point.
Trustwave said it notified Facebook and other sites and services before posting the blog entry. Facebook said it was not at fault, according to the BBC. "People can help protect themselves when using Facebook by activating Login Approvals and Login Notifications in their security settings," a spokesperson said.
"They will be notified when anyone tries to access their account from an unrecognized browser and new logins will require a unique passcode generated on their mobile phone," the spokesperson added.
It has been reported that compromised passwords came exclusively from the Netherlands. However it was clarified by ZDNet that the list is global. Still, the bulk of passwords appear to be from the Netherlands. The site attributes 1,828,452 passwords on 1,049,879 machines to the Netherlands, 7,029 passwords on 3,340 machines from Thailand, and 1,943 passwords from 859 machines from the United States. Several other countries were also listed. The Netherlands figure is inflated, likely because Trustwave could not specify a targeted country due to the attacker's use of a proxy server based in the Netherlands.
The reverse proxy was used to avoid detection and continue the scam for as long as possible, PC Mag reports.
"Outgoing traffic from an infected machine only shows a connection to the proxy server, which is easily replaceable in case it is taken down," the Trustwave blog post said. "While this behavior is interesting in-and-of itself, it does prevent us from learning more about the targeted countries in this attack, if there were any."