Facebook, Twitter and Google users have 2m passwords stolen
Researchers from Trustwave Spiderlabs confirm discovery of massive haul of login data.
A botnet server containing two million passwords for Facebook, Yahoo, Google, Twitter and LinkedIn has been uncovered by the research team at Trustwave SpiderLabs.
The account credentials were reportedly stolen using the Pony Botnet Controller, which has been used in the past to steal passwords for websites, email accounts and FTP resources before passing them back to an unknown third party.
Facebook accounts are a nice catch for cyber criminals, but payroll services accounts could actually have direct financial repercussions.
Trustwave researchers have been tracking the botnet's progress since its source code was first leaked in the wild, and have described the findings of this latest haul in a blog post.
After discovering the server, the team gained access to its administrator's dashboard, which allowed them to gain an insight into the number and type of details stolen.
"As one might expect, most of the compromised web log-ins belong to popular websites and services, such as Facebook, Google, Yahoo, Twitter, LinkedIn, etc," the blog states.
Login details for two Russian social networks and payroll service provider ADP.com were also found.
"Facebook accounts are a nice catch for cyber criminals, but payroll services accounts could actually have direct financial repercussions," the blog post added.
The researchers said the data initially suggested the Pony Botnet Controller was being used to facilitate a targeted attack on web users in the Netherlands, but that is no longer thought to be the case.
"Taking a closer look at the IP log files...revealed that most of the entries from [the Netherlands] are in fact a single IP address that seems to have functioned as a gateway or reverse proxy between the infected machines and the Command-and-Control server, which resides in the Netherlands as well," the post continues.
"This technique of using a reverse proxy is commonly used by attackers in order to prevent the Command-and-Control server from being discovered and shut down.
"While this behaviour is interesting in itself, it does prevent us from learning more about the targeted countries in this attack, if there were any," it adds.
In a further blog post, IT security expert Graham Cluley said the login details may have been used by cybercriminals to access people's accounts or sold on elsewhere for profit.
"What's happened here is clear. Innocent users' computers have become infected with malware, which grabbed login details as they were entered by users," he wrote.
"This data was then transmitted to the cybercriminals either so they could access the accounts themselves or (more likely) sell on the details to other online criminals."
The case for a marketing content hub
Transform your digital marketing to deliver customer expectationsDownload now
Fast, flexible and compliant e-signatures for global businesses
Be at the forefront of digital transformation with electronic signaturesDownload now
Why CEOS should care about the move to SAP S/4HANA
And how they can accelerate business valueDownload now
IT faces new security challenges in the wake of COVID-19
Beat the crisis by learning how to secure your networkDownload now