Russian Gang Amasses Over a Billion Internet Passwords
Russian Gang Amasses Over a Billion Internet Passwords
By NICOLE PERLROTH and DAVID GELLES AUG. 5, 2014
A Russian crime ring has amassed the largest known
collection of stolen Internet credentials, including 1.2 billion user name and
password combinations and more than 500 million email addresses, security
researchers say.
The records, discovered by Hold Security, a firm in
Milwaukee, include confidential material gathered from 420,000 websites,
including household names, and small Internet sites. Hold Security has a
history of uncovering significant hacks, including the theft last year of tens of
millions of records from Adobe Systems.
Hold Security would not name the victims, citing
nondisclosure agreements and a reluctance to name companies whose sites
remained vulnerable. At the request of The New York Times, a security expert
not affiliated with Hold Security analyzed the database of stolen credentials
and confirmed it was authentic. Another computer crime expert who had reviewed
the data, but was not allowed to discuss it publicly, said some big companies
were aware that their records were among the stolen information.
“Hackers did not just target U.S. companies, they
targeted any website they could get, ranging from Fortune 500 companies to very
small websites,” said Alex Holden, the founder and chief information security
officer of Hold Security. “And most of these sites are still vulnerable.”
Mr. Holden, who is paid to consult on the security of
corporate websites, decided to make details of the attack public this week to
coincide with discussions at an industry conference and to let the many small
sites he will not be able to contact know that they should look into the
problem.
There is worry among some in the security community that
keeping personal information out of the hands of thieves is increasingly a
losing battle. In December, 40 million credit card numbers and 70 million
addresses, phone numbers and additional pieces of personal information were
stolen from the retail giant Target by hackers in Eastern Europe.
And in October, federal prosecutors said an identity
theft service in Vietnam managed to obtain as many as 200 million personal
records, including Social Security numbers, credit card data and bank account
information from Court Ventures, a company now owned by the data brokerage firm
Experian.
But the discovery by Hold Security dwarfs those
incidents, and the size of the latest discovery has prompted security experts
to call for improved identity protection on the web.
“Companies that rely on user names and passwords have to
develop a sense of urgency about changing this,” said Avivah Litan, a security
analyst at the research firm Gartner. “Until they do, criminals will just keep
stockpiling people’s credentials.”
Websites inside Russia had been hacked, too, and Mr.
Holden said he saw no connection between the hackers and the Russian
government. He said he planned to alert law enforcement after making the
research public, though the Russian government has not historically pursued
accused hackers.
So far, the criminals have not sold many of the records
online. Instead, they appear to be using the stolen information to send spam on
social networks like Twitter at the behest of other groups, collecting fees for
their work.
But selling more of the records on the black market would
be lucrative.
While a credit card can be easily canceled, personal
credentials like an email address, Social Security number or password can be
used for identity theft. Because people tend to use the same passwords for
different sites, criminals test stolen credentials on websites where valuable
information can be gleaned, like those of banks and brokerage firms.
Like other computer security consulting firms, Hold
Security has contacts in the criminal hacking community and has been monitoring
and even communicating with this particular group for some time.
For people worried about identity theft and privacy, the
discovery by Hold Security of a giant database of stolen data is highly
personal. But there are steps everyone can take to minimize the hackers’
impact.
The hacking ring is based in a small city in south
central Russia, the region flanked by Kazakhstan and Mongolia. The group
includes fewer than a dozen men in their 20s who know one another personally —
not just virtually. Their computer servers are thought to be in Russia.
“There is a division of labor within the gang,” Mr.
Holden said. “Some are writing the programming, some are stealing the data.
It’s like you would imagine a small company; everyone is trying to make a
living.”
They began as amateur spammers in 2011, buying stolen
databases of personal information on the black market. But in April, the group
accelerated its activity. Mr. Holden surmised they partnered with another
entity, whom he has not identified, that may have shared hacking techniques and
tools.
Since then, the Russian hackers have been able to capture
credentials on a mass scale using botnets — networks of zombie computers that
have been infected with a computer virus — to do their bidding. Any time an
infected user visits a website, criminals command the botnet to test that
website to see if it is vulnerable to a well-known hacking technique known as an
SQL injection, in which a hacker enters commands that cause a database to
produce its contents. If the website proves vulnerable, criminals flag the site
and return later to extract the full contents of the database.
“They audited the Internet,” Mr. Holden said. It was not
clear, however, how computers were infected with the botnet in the first place.
By July, criminals were able to collect 4.5 billion
records — each a user name and password — though many overlapped. After sorting
through the data, Hold Security found that 1.2 billion of those records were
unique. Because people tend to use multiple emails, they filtered further and
found that the criminals’ database included about 542 million unique email
addresses.
“Most of these sites are still vulnerable,” said Mr.
Holden, emphasizing that the hackers continue to exploit the vulnerability and
collect data.
Mr. Holden said his team had begun alerting victimized
companies to the breaches, but had been unable to reach every website. He said
his firm was also trying to come up with an online tool that would allow
individuals to securely test for their information in the database.
The disclosure comes as hackers and security companies
gathered in Las Vegas for the annual Black Hat security conference this week.
The event, which began as a small hacker convention in 1997, now attracts
thousands of security vendors peddling the latest and greatest in security
technologies. At the conference, security firms often release research — to
land new business, discuss with colleagues or simply for bragging rights.
Yet for all the new security mousetraps, data security
breaches have only gotten larger, more frequent and more costly. The average
total cost of a data breach to a company increased 15 percent this year from
last year, to $3.5 million per breach, from $3.1 million, according to a joint
study last May, published by the Ponemon Institute, an independent research
group, and IBM.
Last February, Mr. Holden also uncovered a database of
360 million records for sale, which were collected from multiple companies.
“The ability to attack is certainly outpacing the ability
to defend,” said Lillian Ablon, a security researcher at the RAND Corporation.
“We’re constantly playing this cat and mouse game, but ultimately companies
just patch and pray.”
Nicole Perlroth reported from San Francisco and David
Gelles from New York City.
A version of this article appears in print on August 6,
2014, on page A1 of the New York edition with the headline: Russian Hackers
Steal Passwords of Billion Users
Comments
Post a Comment