Skip to content ↓ | Skip to navigation ↓

Researchers have disclosed the discovery of a database that contains 1.58 million stolen usernames and passwords from online platforms including Facebook, Google, Twitter, Yahoo, and Payroll processor ADP.

The mechanism for the infections and subsequent credential compromises is the Pony Botnet, the source code for which has been in the wild for some time.

“Pony, for those of you who have not yet had the pleasure of encountering it, is a bot controller much like any other: It has a control panel, user management, logging features, a database to manage all the data and, of course, statistics. It also seems to be doing these things right, as it appears to be popping up quite a bit lately,” the researchers wrote previously.

The breakdown of the stolen credentials is as follows:

  • 1,580,000 website login credentials stolen
  • 320,000 email account credentials stolen
  • 41,000 FTP account credentials stolen
  • 3,000 Remote Desktop credentials stolen
  • 3,000 Secure Shell account credentials stolen

Analysis of the geo-locations of the stolen login credentials revealed that the victims come from more than 100 nations, indicating the operation was global in scale.

“A quick glance at the geo-location statistics above would make one think that this attack was a targeted attack on the Netherlands. Taking a closer look at the IP log files, however, revealed that most of the entries from NL IP range are in fact a single IP address that seems to have functioned as a gateway or reverse proxy between the infected machines and the Command-and-Control server, which resides in the Netherlands as well,” the researchers said.

“This technique of using a reverse proxy is commonly used by attackers in order to prevent the Command-and-Control server from being discovered and shut down–outgoing traffic from an infected machine only shows a connection to the proxy server, which is easily replaceable in case it is taken down. While this behavior is interesting in-and-of itself, it does prevent us from learning more about the targeted countries in this attack, if there were any.”

Read More Here…