Security firm uncovers malware that's infected more than 2M users

By Cale Guthrie Weissman , written on December 4, 2013

From The News Desk

Today's newsflash: your online information is not safe. 'Not safe?' you say. Yes, dear reader, I hate to break it to you. You really should be more diligent about maintaining proper online security. Stop falling for phishing tactics, and for God's sake stop wandering around the web with your head in the sand, pretending that all is well when it isn't.

Wait. I spoke too soon. It appears that even when you take all the proper precautions you can still find yourself hacked to bits.

Today's online revelation is courtesy of our friends at the security firm Trustwave, which hacked my editor, Adam Penenberg. (Well, he asked for it.) They recently uncovered malware called Pony Botnet plaguing online users and stealing their credentials. Yesterday, the company released a blogpost enumerating the magnitude of the attack and, well, it was pretty bad.

Through this bot, hackers were able to uncover 1,580,000 website login credentials as well as 320,000 email account credentials, along with other online credentials. Pony accessed users' passwords on a plethora of popular sites, including Facebook, Yahoo, Google, and Twitter.

John Miller, a Security Research Manager at Trustwave, explained that Trustwave gathered this information by capturing one of the control panels the Pony attackers use. He wouldn't tell me precisely how he and his team managed this for fear of giving the bad guys a leg up.

Through this control panel, Trustwave accessed metrics on the malware's attacks. This includes lists of websites the credentials were stolen from, what kinds of websites Pony targeted, as well as what and how many users' credentials were compromised.

While the control panel didn't recount how precisely Pony was able to infect so many users, Miller says it was probably through a number of spam campaigns and phishing scams that provided compromised links.

What makes Pony notable is that all of this private user information derived from a single attack. "That's a very large cache of data," Miller said, adding that Pony seems "rather efficient at collecting credentials. That's one of its standouts."

In addition to sites like Facebook and Google, Pony targeted payment and online payroll websites. Generally, malware akin to Pony goes after credentials often on social websites like Facebook. If a hacker wants to attack financial information, he or she goes specifically after that. "For a long time there's been a trend of attacking banking-specific websites," Miller said. Given that Pony collected both payroll information as well as email and other credentials makes it a "peculiar" little malware, in his estimation.

But this peculiarity also demonstrates a potential to be financially damaging to its victims.

Equally distressing was the global impact of Pony. Instead of targeting users in a specific country, it attacked websites around the world (although it did collect credentials from Russian-specific social networks as well).

While Trustwave doesn't contact the individual users who were targeted, it does let all the websites know whose user credentials were compromised. So, if you're a Pony target, you will probably get a message directing you to change your password.

So what's a web user to do? Other than be diligent and don't fall for spam campaigns, Miller recommends that networks use Secure Web Gateway (SWG), which works to protect against next-generation threats by performing real-time threat analysis (along with numerous other safeguards), to try to ward off future attacks.

While antivirus software tries to stay current with the latest viruses "they'll often miss these newer bots," Miller said. This is dangerous for people connected to networks, like, say, at your job. Using an SWG is the best way to protect a network because it stops communication between a compromised computer and the entire network once a threat is discovered.

Even with these precautions, the number of known viruses will always remain a mystery. "We've identified one controller of the Pony Botnet, [but] there's an unknown number of these in existence," Miller said.

So it's nice that one malicious control panel has come to our attention, but you must still obviously remain ever-vigilant.

"We may have won the battle," Miller said, "but we're certainly still fighting the war."

[Image courtesy Chris Halderman]