Russian 'Collector' Sells Stolen Email Credentials for a Song

...


ManageEngine OpManager, a powerful NMS for monitoring your network, physical & virtual (VMware/ HyperV) servers & other IT devices. Deploy and start monitoring in less than an hour. Trusted by over a million admins world-wide. Try it for free.

A hacker dubbed "The Collector" turned over 272 million stolen email credentials in his possession, Hold Security announced Wednesday.

The hacker bragged online about the stash, which included usernames and passwords, the firm said. It got a copy of the data -- which the hacker was peddling for 50 rubles, or less than US$1 -- after giving him a shout-out in the forum.

"We found a post on one of the Russian dark Web forums from a hacker alleging collecting hundreds of millions of credentials," said Alex Holden, chief information security officer at Hold Security.

"After further private conversations, he shared 1.17 billion records which contained 272 million unique user ID and password pairs," he told the E-Commerce Times.

The company realized the haul was the result of a number of different breaches, especially since 42.5 million, or 15 percent of the credentials, it had never seen on the black market before, Holden said.

Hold Security knows the vectors of the attacks, but most of the data is unattributed and too mixed to identify exactly how all of it was accessed.

The stolen credentials in that group included unencrypted passwords. In addition, most of the credentials were being traded on the black market but not widely shared, Holden said.

Hold Security isn't the only company that may have seen this information. "We make no illusion that this data was only shared with us," he said. "Given the ease with which it was given away, it was likely shared many times by the hacker," who he estimated to be between 18 and 25 years old.

The company is still trying to nail down the exact time frame, but the breaches definitely took place within the past year, it said.

A victim of this type of breach is vulnerable to all forms of activity, as the login credentials can be used to breach additional accounts and gain information about an email client, Holden warned.

"Your user ID and password are like your house keys," he said. "Once you lose a key, it is best to change the locks right away."

Underground dark Web forums operate in some ways similar to traditional social media networks, with hackers posting profile pages and exchanging goods and services to enhance their online reputation, according to Sasha Hellberg, a threat researcher at Trend Micro.

"Forums are made and broken by the number of active users and likes they have," she told the E-Commerce Times. "They link to their friends and their wares, and they promote each other and their capabilities."

Email credentials can be accessed using several methods, including publicly leaked breaches, credential theft botnets, brute-force attacks and phishing, said Cameron Sabel, intelligence analyst at FireEye.

Corporate accounts tend to be the most valuable to hackers as they are often used to breach corporate networks, he told the E-Commerce Times.

More alarmingly, GreatHorn has traced a security breach that may be directly linked to the Russian credential dump, CEO Kevin O'Brien said.

An account belonging to a prominent U.S. venture capitalist began sending a credential-stealing cloud document to GreatHorn and many of its clients, but it was not a spoofed message, had no malware or blacklisted URLs, and bypassed security gateways and made it directly into user inboxes.

"Based on our analysis, we believe this was a result of this attack," O'Brien told the E-Commerce Times. GreatHorn has seen logins to Europe that the attack compromised.

"The clear value of credentials to hackers is that they allow them to not only gain illicit access to the private data of the victims, but also use those same email accounts to move east-west -- that is, to laterally attack other trusted contacts," he said.

"Unfortunately, there are places on the Internet where leaked and stolen credentials are posted, and when we come across these or someone sends them to us, we act to protect customers," a Microsoft spokesperson in a statement provided to the E-Commerce Times by company representative Molly Terrell. "Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access to their account."

David Jones is a freelance writer based in Essex County, New Jersey. He has written for Reuters, Bloomberg, Crain's New York Business and The New York Times.

Categories
Guide
0 Comment

Leave a Reply

Captcha image


RELATED BY

  • 5300c769af79e

    The Show: Episode 132 - More LG G6ness

    On this episode of the Droid Life Show, we’ll dive once again into the week that was in Android by not only recapping the latest in Galaxy S8 and LG G6 rumors, but we’ll also share some 3-month thoughts on the Google Pixel (yep, we’re both still using one), Android 7.2 and the phones it leaves behind, AT&T’s first “5G” markets, and more.
  • 5300c769af79e

    China Clears the Way for Uber, Didi to Operate Legally

    Though ride-hailing services like Uber and Didi have been operational in China for some time, the government there officially gave its blessing to the nascent industry this week, releasing national guidelines covering the rules and regulations of online ridesharing.Last year, regulators there banned all programs from using drivers who lacked taxi licenses, forcing the companies to use car-rental companies.
  • 5300c769af79e

    Asus Chromebook Flip First To Land Android Apps

    The Asus Chromebook Flip was recently updated to Chromium 53.The Asus Chromebook Flip has now become the first Chromebook to run Android apps.
  • 5300c769af79e

    Google Fiber Planning Wireless Broadband Tests

    Complex threats execute over time and the traditional security solutions model is limited to visib Google Fiber, the low-cost, high-speed broadband service provider, is planning a shift from physical pipes to wireless deployment of the web, according to an FCC filing.In addition to expansion and acquisitions, Alphabet's Google Fiber, which provides low-cost, high-speed internet access through physical infrastructure, is looking for permission to test a wireless version of the service.