The group dubbed ‘CyberVor’ has been collecting data from thousands of websites, using automated botnets to check for vulnerabilities
A cyber criminal gang believed to be based in central Russia has amassed more than 1.2 billion unique user name and password combinations from thousands of websites – the largest collection of stolen credentials ever discovered.
According to research by the US information security expert Hold Security, the group it dubbed ‘CyberVor’ (‘CyberThief’ in Russian) has been using several botnets to automate the process of scanning for vulnerabilities such as SQL injection flaws. Later, they simply attacked the websites which were proven to be vulnerable.
“The CyberVors did not differentiate between small or large sites. They didn’t just target large companies; instead, they targeted every site that their victims visited. With hundreds of thousands sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites,” states the Hold Security blog.
CyberVor has not put the information up for sale – instead, the group uses it in spam campaigns.
The announcement was meant to coincide with Black Hat USA, one of the most important cyber security conferences of the year.
Everone’s a victim
Hold Security has been researching CyberVor for the past seven months. The hoard of credentials it discovered is a combination of the databases acquired on the black market and ones the cyber criminals stole themselves, using automated botnets to ‘audit’ hundreds of thousands of web and FTP sites.
“The botnet conducted possibly the largest security audit ever. Over 400,000 sites were identified to be potentially vulnerable to SQL injection flaws alone. The CyberVors used these vulnerabilities to steal data from these sites’ databases,” said the company.
In total, CyberVor managed to assemble 4.5 billion records – which, after eliminating the duplicates, came down to 1.2 billion unique use name and password combinations, as well as 500 million email addresses.
Of course, not all of this data is valid or current, but even a fraction of this database in the wrong hands could spell trouble for Internet users. The group has not put the data up for sale, but if it did, the information could be used for identity theft and social engineering with the aim of getting financial details.
Alex Holden, founder and CISO of Hold Security, told the New York Times that the CyberVor gang includes under a dozen men in their 20s who all know each other personally, and run their operation from south central Russia. They began as amateur spammers in 2011, but recently stepped up .their efforts, collecting most of the records between April and July.
Hold Security said that most websites featured in the database are still vulnerable, and advised businesses to check for SQL injection flaws and patch any holes they might have. Meanwhile, Internet users should consider changing their password, especially if they use the same login on multiple websites.
“While this sounds like a credentials disaster of the worst kind, the fact remains that we have yet to see any hard details on the various breaches – and currently no companies have come forward and admitted being affected,” commented Chris Boyd, malware intelligence analyst at Malwarebytes.
“With zero information out there to go on, all we can say is to change your logins if you feel you must, but don’t do it out of any sense of panic or impending doom. If this attack really is this wide reaching, then surely some of this information will come out in the wash eventually – with 1.2 billion passwords supposedly taken, it would be impossible for it not to.”
Hold Security will be launching an electronic identity monitoring service, part of which will enable the customers to check if their data appears in the CyberVor database.
How well do you know network security? Try our quiz and find out!