Cyber security researchers discovered that about two million credentials were stolen from end users frequenting popular websites earlier this year, making it easier for hackers to use their credentials to send spam.

Trustwave’s SpiderLabs, the research team that discovered these thefts said more than 318,000 of the stolen credentials came from Facebook, nearly 60,000 from Yahoo, more than 54,000 from Google and nearly 22,000 from Twitter.

The research team said the tool used was version 1.9 of the Pony Botnet Controller’s malware, which it embedded on two million workstations (desktops, laptops and tablets) worldwide, in June this year.

The speed with which the botnet controller gained access to end user workstations and retrieved credentials for logging onto the websites was fast, according to Trustwave, which said hundreds of thousands of credentials were stolen within a few days of infecting the workstations.

Here’s how it works. Once the botnet controller invades an end user’s workstation, it installs the malware and searches all of the installed software for stored credentials to steal. The malware also watches web traffic to scoop up credentials when end users log onto websites. Then the botnet controller sends the credentials the malware has scooped up  to the Command-and-Controller that is collecting the stolen goods. Trustwave’s researchers were able to access the controller and see the names, email addresses and passwords of all the accounts that were compromised. While the Command-and-Control server is located in the Netherlands, that doesn’t indicate where the people managing Pony reside.

What’s the motivation of these cybercriminals? Money, of course. John Miller, Trustwave’s Senior Research Manager, said that in general, cyber criminals pack up these credentials and sell them in bulk for a couple of cents each. Buyers use these credentials to send spam wide and far, including to the workstations where Pony poached the credentials in the first place.

Perhaps Trustwave’s most disconcerting discovery was that the botnet controller had successfully invaded payroll service provider and reportedly stole 8,000 credentials. This means that whomever has login credentials to the ADP network, which includes ADP’s customer workstations and anyone involved in ADP’s payroll services, may have PONY’s malware in their system, said Miller. “So individuals who use ADP services might want to charge their password,” he said.

In addition, Miller noted that it’s likely that Pony has installed its malware on many browsers, in Java software, Adobe PDF and Adobe Flash software, because these programs have such large numbers of end users. The best way for end users to protect their computer or laptop, he said, is to keep all their browsers up to date and promptly install program patches.

“Flaws in Adobe software and Java are very common attack vectors for loading malicious software like Pony,” said Miller. “When an end user is redirected to an exploit kit, that kit will often use those flaws to install Pony.” Interestingly, the Pony malware can only attack PCs or laptops running Microsoft programs. Apple computers and laptops aren’t vulnerable to this malware, yet.

The discovery of this botnet controller’s widespread presence and efficiency should raise a red flag for end users about how well they protect their login credentials for websites. The best protective measures that end-users can take are nothing new; frequently change passwords and don’t use the same password across numerous websites.

Speaking of passwords, Trustwave analyzed the passwords they found among the two million stolen credentials for websites, social media and email accounts. The researchers divided the passwords into those that were excellent, medium and terrible in terms of strength. They based their determination on the length and type of characters in the password. Excellent passwords were those that used all four character types and were longer than eight characters, while terrible passwords used four or less characters and only one character type. No surprise that there were many more terrible passwords than excellent ones in the Pony haul. The majority were in-between in what they called medium strength.

Gail Bronson is an accomplished technology journalist and security start-up entrepreneur. She was the Founding Managing Editor of Bloomberg and the Founding Editor of Forbes Science & Technology section and she held stints at other publications including U.S. News & World Report and Internet Week.

Leave a Reply