14 DAY TRIAL // On Tuesday, an announcement from Hold Security informed that a single group of cybercriminals, who the company named CyberVor, had amassed as many as 4.5 billion records containing email addresses and account passwords.
After eliminating the duplicates, the company said that only 1.2 billion credentials (usernames - which are generally emails and passwords) appeared to be unique and were linked to more than 500 million email addresses.
All this information had been comprised from the databases of more than 420,000 websites and FTP locations, over a longer period of time; Hold Security spent more than seven months of research until they identified the gang in possession of the massive amount of data.
Maybe because these numbers are so frightening, media online started to dissect the details provided by Hold Security in an attempt to dismiss the news as a lie and an attempt from the company to promote its services to both users and businesses.
Advertising their services, especially ahead of the most popular part Black Hat USA in Las Vegas this year, sure seems like a business move, but making their products known to a large audience is what companies do to keep playing the game and move up to the next level.
Although the amount of the collected data may sound blown out of proportion for many users, the truth is that cybercriminal rings are getting better and better at extracting information from online locations, while website administrators are not too quick at applying the latest patches and fixes that would protect their assets (one recent example would be the thousands of websites hacked through the unpatched MailPoet vulnerability).
Furthermore, to create such a large database, CyberVor started by buying credentials on the black market, and used them in attacks on services that gathered large crowds of users (email providers, social media sites).
They used various methods, and the latest they relied on was data gathering by botnets, infected computers controlled by cybercriminals; these would be leveraged to test for SQL injection vulnerabilities on every website visited by the owner of the compromised systems.
According to Hold Security numbers, more than 420,000 were discovered vulnerable to this type of attack. Simple math would tell us that CyberVor would have to steal an estimated average of 2,850 unique credentials from each of them, and this is without deducting the records collected through other means; overall, the figure rises to 10,700 per site.
Robert Capps, senior director of customer success at RedSeal Networks, a company offering end-to-end network visibility and analytics to prevent cyber-attacks, told us via email that, “while the current disclosure is unsettling for consumers, security professionals have long believed that cybercriminals were combining stolen consumer data from multiple breaches, to make their attacks more effective. This confirms their suspicions.”
What should be impressive is not the number of credentials in the hands of cybercriminals, but the fact that one single group has them. However, let us remember that the Target breach last year ended with information about up to 110 million customers falling into the wrong hands, 40 million records containing credit and debit card information, which benefits from increased security.
About the CyberVor database, Adam Kujawa, head of Malware Intelligence at Malwarebytes, said that “the scale of this find reflects our current reality. While many cyber-criminal groups might not be holding on to billions of login credentials at one time as in this case, they grab information, either use it for their own purposes or sell it to the highest bidder.”
They are creative enough to find a way to make money even if they cannot use the stolen information themselves.
“Phishing attacks, malware and poor password security allow these attackers to obtain the most from their efforts. This is only an instance of finding a lot of credentials collected in one place but if you put it up against the numbers that are currently circulating through the underground markets, it would seem small,” he added via email.
However, there are several things to bear in mind regarding Hold Security’s report, and that is that although CyberVor holds 1.2 billion unique username and password pairs, not all of these can actually be used for nefarious activities.
What needs to be taken into consideration is that some users rely on disposable email addresses to create an account from a service without having to deal with notifications from them.
Of course, it is very likely that this would account for a very small proportion of the 1.2 billion credentials.
A stronger possibility is that many users have adopted good password security practices and change the countersigns for the most important services on a regular basis; this won’t save them from spam or phishing, though, which is exactly the business CyberVor appears to be in (Alex Holden told the New York Times that the ring collects fees from other groups for sending out spam).
Also to be considered is the fact that, in some cases, the database information might be encrypted and the cybercriminals may not be able to crack the cipher.
“If this crime ring has company credentials then many of those credentials eventually will become stale as employees are terminated or accounts passwords are changed by the user,” Joe Schumacher, security consultant for Neohapsis, told us.
As far as the authenticity of the information is concerned, some security experts (an unknown source for the New York Times and security blogger Brian Krebs), who have been shown the data discovered by Hold Security’s research, say that the details are for real.
Alex Holden, CEO of Hold Security, has been under media scrutiny recently, as a result of this announcement, his character being painted as a shady one that wanted to promote the products of his company at a conference the entire security industry has its eyes on. But business is business and, as they say, there is no such thing as bad publicity.
The bottom line is that even if Hold Security’s announcement is regarded with skepticism, a database with so many credentials is not far-fetched for cybercriminals to possess. And this should be more than a warning that both users and web services should take a more proactive stance towards protecting their information.