Pony botnet appears to have acquired passwords for the likes of Facebook, Google, Twitter and LinkedIn
Security researchers have uncovered a server containing two million passwords, supposedly for some of the biggest services on the Internet, including Facebook, Twitter, Google and Yahoo accounts.
The Pony malware was responsible for hoovering up the logins. It has been causing carnage since its source code was made public and researchers found one botnet that had stolen 1,580,000 website logins and 320,000 email account credentials.
There were also rafts of FTP, remote desktop and secure shell logins on the server, according to SpiderLabs.
The Pony control panel, which appeared to be Russian, indicated Facebook was the worst impacted. Passwords for two Russian social medai sites, vk.com and odnoklassniki.ru, were also included in the data trove.
“Another interesting item on the list is the payroll service provider adp.com. It is only natural to have such domains in the mix, but it is surprising to see it ranked #9 on the top domains list,” said SpiderLabs researchers Daniel Chechik and Anat (Fox) Davidi, in a blog post.
“Facebook accounts are a nice catch for cyber criminals, but payroll services accounts could actually have direct financial repercussions.”
The researchers were unable to learn much more about the attackers’ operation, as they used a reverse proxy between the infected machines and the command and control server. That meant outgoing traffic from infected machines only showed a connection to the proxy server, hiding the command and control server.
SpiderLabs did uncover some bad password practices, however, with most using “123456” as their login. “Unfortunately, there were more terrible passwords than excellent ones, more bad passwords than good,” the researchers added.
They said the relevant parties had been contacted. LinkedIn and Facebook said they were aware of the issue and were looking into it.
“While details of this case are not yet clear, it appears that people’s computers may have been attacked by hackers using malware to scrape information directly from their web browsers,” a Facebook spokesperson said, in an emailed statement sent to TechWeek.
“People can help protect themselves when using Facebook by activating Login Approvals and Login Notifications in their security settings. They will be notified when anyone tries to access their account from an unrecognized browser and new logins will require a unique passcode generated on their mobile phone.”
At the time of publication, Google and Yahoo had not responded to TechWeekEurope requests for comment.
Twitter confirmed it had reset the passwords of affected users.
Are you a security expert? Try our quiz!