Internet security freak-out of the week: Russian gangsters have a billion stolen passwords
If you thought security incidents like the theft of personal information from retail giant Target were bad news, you won't like hearing that a Russian gang has quietly amassed a stockpile of stolen Internet user names, passwords, and email addresses that dwarfs any previous security breach. In fact, based on the New York Times' account, it might be bigger than all of the others put together:
A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say.
The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, including household names, and small Internet sites. Hold Security has a history of uncovering significant hacks, including the theft last year of tens of millions of records from Adobe Systems.
Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information.
But obviously not falling all over themselves to notify users of the risk...
“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” said Alex Holden, the founder and chief information security officer of Hold Security. “And most of these sites are still vulnerable.”
Wonderful. On the bright side, we are assured these gangsters have no connection with Vlad Putin's Moscow-based syndicate, aka "the Russian government." On the down side, if things heat up in Ukraine (as it seems increasingly likely they will) it won't be tough for Putin to buy some passwords from the hackers and step up his cyber-war game.
Interestingly, the security analysts quoted in the Times story don't think the gangsters are currently using their stolen passwords to rob anyone - an activity that would clearly tip their hand and let the victims know their online security has been compromised. Instead, the crooks "appear to be using the stolen information to send spam on social networks like Twitter at the behest of other groups, collecting fees for their work." The gang actually got its start running a spam factory:
The hacking ring is based in a small city in south central Russia, the region flanked by Kazakhstan and Mongolia. The group includes fewer than a dozen men in their 20s who know one another personally — not just virtually. Their computer servers are thought to be in Russia.
“There is a division of labor within the gang,” Mr. Holden said. “Some are writing the programming, some are stealing the data. It’s like you would imagine a small company; everyone is trying to make a living.”
They began as amateur spammers in 2011, buying stolen databases of personal information on the black market. But in April, the group accelerated its activity. Mr. Holden surmised they partnered with another entity, whom he has not identified, that may have shared hacking techniques and tools.
How did they harvest such an astounding trove of passwords and email addresses? They've been spreading a low-level virus, evidently very difficult to detect, which tests every website an infected user visits for vulnerability to the gang's favored hacking techniques. If the site is vulnerable, the virus relays its address to the gang, so they can crack it at their leisure. They essentially turned thousands of unwitting users into their scouts.
Ever since I started writing about large-scale online security breaches, I've heard annual warnings that hackers are winning the arms race against security companies - viruses mutate faster than defenses can be adapted to repel them, while the amount of vulnerable online territory has grown too vast to protect. The situation appears to be getting worse, as a RAND Corporation researcher told the Times, "We're constantly playing this cat-and-mouse game, but ultimately companies just patch and pray." Considering what a dozen kids in Russia were able to accomplish with a bot virus and some standard hacking tools, it's time to pray harder.