Botnet was used to steal credentials from 2 million accounts globally

By -

In the latest information security attack news, approximately 2 million accounts have been compromised. A Botnet using software controller named “Pony” was used for the attack and 2 million accounts which includes login ids and passwords from many popular websites such as Facebook, Twitter, Google, Yahoo, LinkedIn among others were found in Netherlands based server.

Details of attack by Pony software using Botnet

The number of login credentials stolen from these websites are as follows: Facebook suffered the most with 318,121 credentials, Yahoo had 59,549 accounts comprised, Google with 54,437 accounts, Twitter had 21,708 credentials stolen and LinkedIn with 8,490 accounts. VKontakte, one of the most popular and widely used social networking site in Russia also suffered with 6,867 accounts compromised, Odnoklassniki another Russian website was also hacked into.

Apart from social networking the Botnet was also used to steal; 320,000 email account credentials; 41,000 FTP account credentials; 3,000 Remote Desktop credentials and 3,000 Secure Shell account credentials were also found on the sever.

Another company within the list is an interesting find because it is neither a social network nor an email account. The company in question is ADP, which deals with Payrolls and Human Resources software. According to its website, ADP is paying one in 6 workers in the US, and has moved about US$1.4 trillion in fiscal 2013.

Chart showing attack using Botnet targeted globally

Trustwave SpiderLabs who first found out about Pony software using Botnet and reported the attack says the attackers used reverse-proxy technique. And although the attack at first appeared to be targeted towards Netherlands, after studying more in to it, they came to conclude the attack was in fact global, targeting about 92 countries. “A quick glance at the geo-location statistics above would make one think that this attack was a targeted attack on the Netherlands. Taking a closer look at the IP log files, however, revealed that most of the entries from NL IP range are in fact a single IP address that seems to have functioned as a gateway or reverse proxy between the infected machines and the Command-and-Control server, which resides in the Netherlands as well. This technique of using a reverse proxy is commonly used by attackers in order to prevent the Command-and-Control server from being discovered and shut down–outgoing traffic from an infected machine only shows a connection to the proxy server, which is easily replaceable in case it is taken down“, wrote Chechik in the post.

Via – PCWorld

Source – Trustwave SpiderLabs

Photo Credit – FutUndBeidl/Flickr

Subscribe to our Mailing List
We promise to never spam.

Get all the interesting stories delivered straight to Inbox.

Darshik Jariwala is an IT Professional from Canada, with 3+ years of experience and knowledge in various verticals in the IT industry. In his leisure time, he loves writing Blogs, Reading, watching Movies, occasional Photography and most of all having coffee with friends. You can also befriend him on , and .

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.