Almost 2 million stolen website and email login credentials were found on a botnet command-and-control server, with most of the compromised accounts belonging to Facebook, Google, Yahoo, Twitter, LinkedIn and other popular services.
Security vendor Trustwave discovered the C&C server, which was located in the Netherlands. Creators of the botnet, comprised of more than 93,000 compromised personal computers, used malware and management software known as Pony.
The credentials were not stolen directly from the sites, but from the compromised personal computers, John Miller, security research manager at Trustwave, said Wednesday. The PCs were infected with the Pony malware, which had been installed when the computer users clicked on a malicious link sent via spam.
"Even though they're accounts for online services such as Facebook, LinkedIn, Twitter and Google, it's not a result of any weakness on those companies' networks," Miller said.
The security vendor discovered almost 1.6 million website login credentials and roughly 300,000 email credentials. While many of the stolen usernames and passwords were used for the most popular U.S. sites, Trustwave also found those for two social networks aimed at Russian speakers, vk.com and odnoklassniki.ru.
The discovery was an indication that a significant number of victims were Russian speakers. Trustwave estimates the botnet operators had compromised systems in about 100 countries.
Along with the email and website credentials, Trustwave also found almost 50,000 usernames and passwords for other services, including the remote desktop application in Windows used to login to other computers.
In addition, there were credentials to FTP servers used to upload and download files and to secure shell accounts, which are remote command-line logins used by administrators to manage servers.
Among the top domains used by the compromised accounts was that of the payroll service provider ADP. Having credentials for the site adp.com could be lucrative, because the attackers could have access to bank account information and have the ability to cut checks or change payment recipients, Miller said.
Trustwave notified the affected sites and turned over the credentials for the compromised accounts. In addition, the vendor notified the Netherlands Computer Emergency Response Team (CERT) about the C&C server.
Pony malware and controller software used in managing networks is found in botnets belonging to many groups of cybercriminals. Trustwave could not determine the operators of the recently discovered botnet.
Many of the stolen passwords were found to be extremely weak. The top 10 included a series of consecutive numbers between one and eight, as well as "password" and "admin."
For companies, the discovery is a warning to constantly remind employees not to click on links in suspicious emails, to choose strong passwords, preferably a combination of letters, numbers and characters; and to avoid using the same password across online services.