• United States



2 million stolen login credentials discovered for Facebook, Google, LinkedIn, Twitter, other sites

Dec 04, 20133 mins
Application SecurityCybercrimeData and Information Security

Trustwave finds botnet C&C server with compromised account information

Almost 2 million stolen website and email login credentials were found on a botnet command-and-control server, with most of the compromised accounts belonging to Facebook, Google, Yahoo, Twitter, LinkedIn and other popular services.

[Source code and 2.9 million accounts raided by attackers in Adobe breach]

Security vendor Trustwave discovered the C&C server, which was located in the Netherlands. Creators of the botnet, which comprised more than 1 million compromised computers, used malware and management software known as Pony to steal credentials for more than 93,000 domains.

The credentials were not stolen directly from the sites, but from the compromised personal computers, John Miller, security research manager at Trustwave, said Wednesday. The PCs were infected with the Pony malware, which had been installed when the computer users clicked on a malicious link sent via spam.

“Even though they’re accounts for online services such as Facebook, LinkedIn, Twitter and Google, it’s not a result of any weakness on those companies’ networks,” Miller said.

The security vendor discovered almost 1.6 million website login credentials and roughly 300,000 email credentials. While many of the stolen usernames and passwords were used for the most popular U.S. sites, Trustwave also found those for two social networks aimed at Russian speakers, and

The discovery was an indication that a significant number of victims were Russian speakers. Trustwave estimates the botnet operators had compromised systems in about 100 countries.

Along with the email and website credentials, Trustwave also found almost 50,000 usernames and passwords for other services, including the remote desktop application in Windows used to login to other computers.

In addition, there were credentials to FTP servers used to upload and download files and to secure shell accounts, which are remote command-line logins used by administrators to manage servers.

Among the top domains used by the compromised accounts was that of the payroll service provider ADP. Having credentials for the site could be lucrative, because the attackers could have access to bank account information and have the ability to cut checks or change payment recipients, Miller said.

Trustwave notified the affected sites and turned over the credentials for the compromised accounts. In addition, the vendor notified the Netherlands Computer Emergency Response Team (CERT) about the C&C server.

Pony malware and controller software used in managing networks is found in botnets belonging to many groups of cybercriminals. Trustwave could not determine the operators of the recently discovered botnet.

Many of the stolen passwords were found to be extremely weak. The top 10 included a series of consecutive numbers between one and eight, as well as “password” and “admin.”

For companies, the discovery is a warning to constantly remind employees not to click on links in suspicious emails, to choose strong passwords, preferably a combination of letters, numbers and characters; and to avoid using the same password across online services.

[Facebook forces some users to reset passwords because of Adobe data breach]

In addition, companies need to be diligent in keeping browser plugins, such as Java and Adobe Flash and Acrobat, up to date with the latest patches, Miller said. Anti-virus software is useful in detecting malware, as well as network-monitoring software that can spot unusual traffic between an office computer and a remote server.