Think like a creep

One of the regulars at Paul’s Pub (my little Facebook group for marketers) read the post here from the other day, titled “How scared should you be?” It’s about taking a common sense view of online security, and mentioned an article from the Times which stated that Russian hackers had collected 1.2 billion username/password combinations.

The poster looked at the huge number of credentials the thieves had gathered and suggested “you’d have more chance of catching aids off a nun than anything happening to your website.”

Apparently our colorful correspondent has not yet learned to think like a creep.

First, let’s keep in mind that the guys who stole those log-in pairs have access to a botnet. That’s a large group of computers that belong to other people, which are infected with malware that lets the crooks use their systems without the owners knowing it.

Your machine might be one of them.

Even a modest network of 10,000 zombied machines gives them a lot of computing power and distributed IPs. According to the article in the Times, they managed to grab credentials from 420,000 sites, so dismissing a task as being too large seems a bit hasty.

1.2 billion log-in pairs. In that, they have 500 million email addresses. One assumes the rest are username/password combos, or a combination of all three.

Let’s look at the records that include email addresses, and think like a creep. How could we use that info?

To start with, there are probably duplicate addresses in the list. If I were the kind of person to play this game, I’d sort on those and look for duplicate addresses that used the same password at more than one site. They probably use the same password everywhere. So, that’s a good bet for checking out possible financial and shopping accounts. Paypal, Amazon, banks local to them, etc.

If the SQL dumps they got all this data from include IPs, it wouldn’t be hard to find the most likely local banks. And they probably have bots in the network that are in the same geographic areas.

No need to be tripping alarms, eh?

Next, I’d generate a list of the most commonly used passwords. With over a billion in hand, they’ve probably got an authoritative sample. To do this step, you’d really only need to start with a few million records, which a fast computer could do in a lot less time than you might think. We’re talking hours, if that. Possibly minutes.

Then you just run through the master list in batches.

I’d look for accounts that used one of the top 20 or 50 passwords (depending on how simple they are) and sort them to a separate file. People who use simple passwords are reasonably likely to use the same one at many places.

Same potential for criminal joy as above.

Note that none of this is rocket science. You don’t need to be an evil genius to do it. Just evil.

The previous scenarios are only of concern to people who use weak passwords, or re-use them at multiple sites. Now we get into the more annoying “everyone’s a target” stuff.

I’d get a list of the 500 or 1000 most commonly visited sites in the database (same simple process as above) and look through that. Might be some gems in there for an enterprising villain.

Hard to guess what, since we don’t know which sites were compromised in this attack, but the Times did say they included “household names” and “Fortune 500 companies.”

I’d also search the domains and usernames based on high-value keywords. More potential gold in them thar ills.

Come to think of it, I’d start by sorting out every record with the username “admin.” Gotta be a few thousand of those, right?

Oh, the places you’d go.

I’d also look into categorizing those top sites by interest and segmenting them into separate lists for “targeted bulk email deployment.” (read: spam.)

No need to send the stuff yourself, of course. There are plenty of spammers happy to buy that kind of tinsel.

Then there’s the potential in selling the log-ins to link spammers.  How would you feel if you went to a favorite site and discovered your account had been used to spam porn links or some other NSFW nonsense in a parenting forum?

Why yes. Yes, they would.

According to Hold Security, the firm that discovered this, the folks who assembled this access goldmine are currently only using it to send contract spam on social networks. Even if that’s all they ever plan to do with it themselves, there’s a good chance they won’t ignore the extra dosh to be made in selling it. And there are people out there who would do everything I’ve outlined here, and things I probably haven’t even heard of, without a moment’s hesitation.

There is a market for all that data. If the people who stole it decide to push the cash flow, it will end up being sold at least once. Some of it a lot more.

And, being the upright citizens you’d expect buyers of this sort of information to be, they’ll sell it on again. As often as they can get people to pay.

Feelin’ all warm and fuzzy yet?

So, why hasn’t Hold Security announced the list of sites that were hacked?

Well, for starters, that would create chaos. Chaos is usually not a helpful thing to add to a security snafu. That starts rumors and misinformation, and all manner of other Bad Stuff.

As a rule, it’s better to notify the affected companies, toward which it appears an effort is under way. They can take measures to pre-empt further breaches and misuse of the data without panicking people unduly.

Again, it’s just social network spam at this point. A nuisance, but generally not all that devastating. (There are exceptions, but that’s a story for another time.)

That being the case, I believe a quiet heads up where possible is the most responsible course of action.

Edited Sept 2, 2014, to add: This is no longer true. Some collection of creeps is currently trying to use these credential pairs to get access to hosting and/or domain registration accounts at Namecheap.

Namecheap is the only one publicly mentioning this and warning their customers. If they aren’t already hitting other hosts and/or registrars, they will be soon.

For the sites they can’t contact the owners of, I might think about sending emails warning people that their passwords had been compromised. That’s a course fraught with its own perils, though. Especially since a villainous critter who has that data could be sending their own emails and using a man in the middle attack to be sure they had the new access info. For some sites, that might be a profitable approach.

And you can be pretty sure a lot of people would accuse the person warning them of being the ones who stole the data in the first place.

They might also face significant liability if people reacted badly in ways that affected the firms from which the data was stolen. You can bet a lot of lawyers have made good coin advising on this sort of situation.

Back to you.

Bottom line is, there’s a pretty good chance one or more of your log-ins is included in that archive. If you use simple passwords or re-use them at more than one site, I’d do a couple of things, really quick. First, I’d do as complete a scan of my computer as possible, to reduce the odds that the creeps aren’t already on your system. Then I’d start changing the important passwords. Now.

Third, I would be absolutely certain none of my email addresses used the same password I used anywhere else. If thieves get the password to an email address you have linked to any important accounts, they can get into all of them.

Password reminder is not always your friend.

The point of this isn’t really to be a security tutorial, though. It’s to suggest that dismissing the risks in situations you aren’t familiar with isn’t generally a good idea. Advising others to ignore them is even less good, as plans go.

Especially if you haven’t learned to think like a creep.

Posted in Security.


  1. Kudos Paul. I’m with you on this. I have been using the same password on all my sites up until very recently. What’s the best test to find out if my machines are secretly tied to a botnet? Also is merely changing our passwords the cure all to protect us from these creeps?

  2. Matt… Last question first: There is no cure-all protection. As long as there are crackers and exploits, there is risk. If a networked device is turned on, you should consider it vulnerable.

    The object is to minimize risk. Eliminating it is not possible.

    Before we go further, remember that I am not a computer security expert. Take this advice with that in mind.

    As far as finding out if you’ve been zombied, my first suggestion would be to get a solid security suite and install it. Update it to within the hour, and deep scan your system. I use Norton 360 (multi-device) on two PCs and a Mac, and recommend it highly. One of my more tech savvy friends (a GeekSquad manager) recommends WebRoot.

    Then download MalwareBytes and run that. Deep scan.

    For added ongoing security, install something like Sandboxie and isolate your browsing from the OS.

    There is a lot more you can do to keep your system and network secure. You’re better off looking for advice on your specific situation once you get much beyond this stuff. Especially if you have network-shared devices and/or multiple people on your network with different levels of experience.

  3. In the first public acknowledgement of the use of the login credentials that were stolen, Namecheap sent a note to their customers. Hackers are using those username/password combos to try and get access to Namecheap accounts.

    The warning is here:

    If you use the same pair for your hosting or registrar as for other accounts, you may find yourself hosting things you didn’t expect, or losing domains to thieves.

    The abuse of this data is no longer restricted to nuisance spam on social networks…

Leave a Reply