Researchers have uncovered another huge treasure trove of sensitive data, a staggering 1.2 TB database of login credentials, browser cookies, autofill data and payment information extracted by malware that has yet to be identified.
In all, NordLocker researchers said Wednesday that the database contained 26 million login credentials, 1.1 million unique email addresses, more than 2 billion browser cookies and 6.6 million files. In some cases, victims have passwords stored in text files created with the Notepad application.
The stock also contained more than 1 million images and more than 650,000 Word and .pdf files. In addition, the malware took a screenshot after infecting the computer and took a picture using the device’s webcam. Stolen data also came from messaging, email, gaming and file sharing apps. The data was extracted from more than 3 million PCs between 2018 and 2020.
A thriving market
The discovery comes amid an epidemic of security breaches with ransomware and other types of malware hitting large companies. In some cases, including May’s ransomware attack on Colonial Pipeline, hackers gained access with compromised accounts for the first time. Many such references are for sale online.
Alon Gal, co-founder and CTO of security firm Hudson Rock, said such data is often first collected by stealer malware installed by an attacker attempting to steal cryptocurrency or commit a similar type of crime.
The attacker “will then likely try to steal cryptocurrencies, and once he’s done with the information, he’ll sell to groups with expertise in ransomware, data breaches and corporate espionage,” Gal told me. “These stealers capture browser passwords, cookies, files, and more and send them to the [command and control server] from the attacker.”
NordLocker researchers said there is no shortage of resources for attackers to secure such information.
“The truth is that anyone can get their hands on custom malware,” the researchers wrote. “It’s cheap, customizable and can be found all over the web. Dark web ads for these viruses reveal even more truth about this market. For example, anyone can get their own custom malware and even lessons on how to use the stolen data for as little as $100. And customization means customization, too: Advertisers promise they can build a virus to attack just about any app the buyer needs. ”
NordLocker was unable to identify the malware used in this case. Gal said that from 2018 to 2019, common malware included Azorult and, more recently, an info-stealer known as Raccoon. Once infected, a PC regularly sends stolen data to a command and control server controlled by the attacker.
In total, the malware collected account information for nearly 1 million sites, including Facebook, Twitter, Amazon and Gmail. Of the 2 billion cookies extracted, 22 percent were valid at the time of discovery. The files can be useful for finding out the habits and interests of the victims, and if the cookies are used for authentication, they give access to the person’s online accounts. NordLocker gives different figures here.
People who want to determine whether their data has been wiped out by the malware can consult the Have I Been Pwned Breach Notification Service, which has just uploaded a list of compromised accounts.