Every now and then, security researchers come across a server used by hackers to store stolen account credentials. The latest instance of this has been flagged by Daniel Chechik and Anat (Fox) Davidi of Trustwave’s SpiderLabs, who have discovered a stash login credentials for nearly two million online accounts.
More that 75 percent of these are website login credentials (Facebook, Yahoo, Google, Twitter, LinkedIn, vKontakte, etc.), followed by some 320,000 email account ones, 41,000 FTP, 3,000 Remote Desktop, and 3,000 Secure Shell account credentials.
“Another interesting item on the list is the payroll service provider adp.com. It is only natural to have such domains in the mix, but it is surprising to see it ranked #9 on the top domains list. Facebook accounts are a nice catch for cyber criminals, but payroll services accounts could actually have direct financial repercussions,” the researchers pointed out.
The server in question hosts a botnet controller app dubbed Pony.
At first glance, an overwhelming number of these account credentials seem to have been collected from machines on IP addresses in The Netherlands, followed by couple of thousands combinations from Thailand, Germany and Singapore, and even less from a wide variety of countries around the globe.
But, a closer look at the IP log files showed that “most of the entries from NL IP range are in fact a single IP address that seems to have functioned as a gateway or reverse proxy between the infected machines and the Command-and-Control server, which resides in the Netherlands as well.”
“This technique of using a reverse proxy is commonly used by attackers in order to prevent the Command-and-Control server from being discovered and shut down–outgoing traffic from an infected machine only shows a connection to the proxy server, which is easily replaceable in case it is taken down,” the researchers explained, adding that, unfortunately, an ad-hoc analysis of the stolen passwords revealed what be already know: that many, many users keep using easy-to-guess passwords such as “123456”, “password”, “admin”, “111111”, and similar.
Compared to similar analysis from seven years ago, they also discovered that, yes, people are choosing longer passwords (but not necessarily more complex ones), but a greater percent uses the aforementioned “easy” passwords. In fact, that percentage has almost tripled.