14 DAY TRIAL // A group of hackers has leaked tens of MySpace and PayPal login credentials which were allegedly captured by sniffing packets on open wireless networks.
Called D3V29, the group has openly declared its affiliation with Operation Anti-Security (AntiSec), the hacking campaign originally started by LulzSec and carried forward by Anonymous.
D3V29 posted the "dumps" on pastebin.com and advertised the links on its Twitter feed. The group told SC Magazine AU that it obtained the credentials by scanning public wireless networks in restaurants and stores with self-made software.
The software is described as batch code that connects to the network and intercepts login data. The description resembles that of ARP spoofing attacks.
There is one problem with this theory though — PayPal uses HTTPS for login, and so do most modern websites. This ensures that passwords are not transmitted in plaintext form.
Another type of attack that results in account compromise and is possible over open wireless networks is known as sidejacking and involves capturing the session cookies that sent along with web requests.
Websites that do not employ full-session HTTPS leave their users exposed to this type of attack, however, sidejacking has nothing to do with passwords either.
Attackers can use the captured cookies to hijack active sessions. This would give them temporary access to the corresponding accounts, but they still wouldn't get plaintext passwords like those leaked by D3V29.
It is more likely that these hackers used phishing or a trojan to steal the login credentials than a WiFi-based attack. However, regardless of the method used, PayPal and MySpace should react immediately by suspending the accounts or resetting their passwords in order to prevent further abuse.
As we previously said, the fact that LulzSec disbanded and its members merged back into Anonymous to keep a lower profile, doesn't mean that the indiscriminate attacks and leaking of user information will stop.