Passwords in Notepad: mysterious virus hits millions of computers

W sieci odkryto dużą bazę danych zawierającą dziesiątki milionów haseł do popularnych serwisów, takich jak Facebook, Twitter, Amazon, Gmail i innych. Według doniesień, wszystkie informacje zostały zebrane przez nieznanego wirusa, którego pochodzenie nie zostało jeszcze ustalone. Gazeta.Ru dowiedziała się, w jaki sposób atakujący mogą wykorzystywać takie wycieki i jak sprawdzić, czy Twoje hasło nie zostało naruszone.
Badacze NordLocker IS poinformowali o odkryciu publicznie dostępnej bazy danych o pojemności ponad 1,2 TB, zawierającej dane osobowe użytkowników z całego świata, donosi Ars Technica.

Baza danych zawiera pary nazwa użytkownika-hasło, pliki cookie, dane autouzupełniania i informacje o płatnościach, a wszystko to zostało wykradzione przez nieznanego wirusa, którego pochodzenie nie zostało jeszcze ustalone.

Mówimy tu o 26 milionach haseł, 1,1 miliona unikalnych adresów e-mail i 6,6 miliona różnych dokumentów.

Uważa się, że niektórzy użytkownicy przechowywali swoje hasła w plikach .txt, które zostały utworzone przy użyciu Notatnika, lub w niezabezpieczonej formie.

The malware not only collected data from the victim’s computer, but also took a screenshot, as well as a webcam snapshot. It is known to have been active between 2018 and 2020 and infected around 3 million systems.

Passwords found in this database provide access to one million popular websites worldwide, including Facebook, Twitter, Amazon, and Gmail. The leak aggregator Have I Been Pwned has already been updated according to the news, with users advised to check their email address used to log in to various online platforms to see if they have fallen victim to the mysterious virus. If the email has been compromised, it should be changed immediately.

The stolen identity data can be used against the victim in targeted phishing, social engineering scams and account takeovers, including those with paid subscriptions, Tony Anscombe, chief security evangelist at ESET, told Gazeta.Ru.

“The danger of personal data vaults is that they remain current for years, and fraudsters are keen to take them over the darknet. Chances are you haven’t changed your phone number and email address in three to five years, you still have the same date of birth and name.

And if you additionally use the same or similar simple passwords for many years, an attacker will know enough to plan a scam.

The scammer may begin the contact with a text message designed to look like a message from a store or service to which the victim has been subscribed for years. Social engineering techniques are then implemented based on what is known from leaked databases. The fraudsters’ main goal is to gain access or additional data from the victim, which they can then monetize.” – said the expert.

For his part, Louis Corrons, security evangelist at Avast, said that the data discovered by NordLocker is not unique in either quantity or method of collection, but beyond compromising accounts, cybercriminals can use it in a variety of ways – for example, for Sextortion campaigns, fraud, ransomware attacks and other schemes.

“One of the main goals of any malware 90% of the time is to secretly collect information from an infected device and then pass it on to a control server. Scammers gather such databases and then trade them on the black market for compromised information. Publishing another large database is a common situation in the market. Today, there are many data protection analytics companies. They, in turn, create search engines on such databases so that users can see if their data or accounts are compromised. There are no major threats to users, but don’t forget to change passwords and two-factor authentication regularly, warns Oberon’s director of information security.