Researchers have discovered another massive series of sensitive data, a dizzying 1.2TB database containing login credentials, browser cookies, autocomplete data and payment information extracted from malware that has not yet been identified.
In all, NordLocker researchers said Wednesday that the database contains 26 million login credentials, 1
The storage also included over 1 million images and more than 650,000 Word and .pdf files. In addition, the malware took a screenshot after infecting the computer and took a picture using the device’s webcam. The stolen data also comes from applications for messaging, email, games and file sharing. The data was extracted between 2018 and 2020 from more than 3 million computers.
A thriving market
The discovery comes amid an epidemic of security breaches involving ransomware and other types of malware hitting large companies. In some cases, including the ransomware attack in May against Colonial Pipeline, hackers first gained access using compromised accounts. Many such credentials are available for sale online.
Alon Gal, co-founder and chief technical officer of security firm Hudson Rock, said such data is often collected first by a malware thief installed by an attacker trying to steal cryptocurrency or commit a similar type of crime.
“The attacker will probably try to steal cryptocurrencies and, once he’s done with the information, will sell to groups whose experience is ransomware, data breaches and corporate espionage,” Gal told me. “These thieves capture browser passwords, cookies, files and more and send them to [command and control server] of the attacker. “
NordLocker researchers said there was no shortage of sources for attackers to provide such information.
“The truth is that anyone can get their hands on personalized malware,” the researchers wrote. “It’s cheap, adaptable and can be found all over the web. Dark web ads for these viruses reveal even more truth about this market. For example, anyone can get their own malware and even tutorials on how to use stolen data for only $ 100. And personalization means personalization – advertisers promise to create a virus that attacks virtually any application from which the buyer needs.
NordLocker was unable to identify the malware used in this case. Gal said that from 2018 to 2019, widely used malware includes Azorult and more recently an information thief known as Raccoon. Once infected, the computer will regularly send stolen data to a management and control server managed by the attacker.
In total, the malware has collected credentials for nearly 1 million sites, including Facebook, Twitter, Amazon and Gmail. Of the 2 billion cookies extracted, 22 percent remain valid at the time of discovery. Files can be useful for combining the habits and interests of victims, and if cookies are used for authentication, they give access to a person’s online accounts. NordLocker provides other figures here.
People who want to determine if their data has been swept away by malware can check the I Have I Been Bew Pwned infringement notification service, which has just uploaded a list of compromised accounts.