14 DAY TRIAL // The CyberVor cybercrime gang is believed to hold login details of at least 2,285,295 Australian users visiting .au websites.
Alex Holden, CEO of Hold Security, the company having announced last week that a specific cybercriminal Russian group had created a database with 1.2 billion unique credentials, said that the cache of information on Australian individuals contained emails and passwords.
Talking to The Register, Holden also said that this data was collected from at least 5,929 “.com.au” online locations. However, this number is likely to be higher since “.net.au” domains were not included.
The list of credentials could be extracted because the websites were vulnerable to SQL injection exploitation.
Hold Security is currently involved in alerting the websites identified as vulnerable of the glitch, so administrators can eliminate the flaw and ensure the security of their visitors.
Users are advised to change their passwords, at least for the most important online services, in order to prevent unauthorized access to their accounts.
As was the case in the initial announcement, Holden did not reveal names of any of the affected websites, a decision that attracted a flurry of articles accusing that the information had been released in the context of Black Hat security conference so that the company could promote its services.
The cybercriminal group believed to have what has been dubbed as “the largest cache of stolen data,” has been named CyberVor by Hold Security, “vor” being the equivalent of “thief” in English.
The company, which monitors underground websites for collecting information on the latest breaches and trends adopted by the crooks, says that the actual number of records in CyberVor’s possession is 4.5 billion, but only 1.2 billion are unique credentials, being attached to more than 500 million email addresses.
Not all the information has been stolen leveraging SQL injection vulnerabilities, as the gang first started by purchasing user information from fellow criminals. Then, they used it to attack online services that gathered large crowds of users.
Later on, CyberVor relied on botnets scanning for websites vulnerable to SQL injection exploitation and reporting back to them.
It appears that this operation affected over 400,000 websites. FTP locations were also targeted by the crooks, increasing the number to more than 420,000.
At the moment, it is difficult to determine whether the Australians affected by the theft have been targeted in attacks such as spam and phishing, trying to lure them to websites serving malware.