FBI Probes 1.2B Stolen CredentialsWarning over Russian CyberVor Hacking Gang Triggers Investigation
The FBI is pursuing a suspected Russian hacker who claims to have amassed a trove of 1.2 billion unique email and password combinations and who also offered access to hacked Facebook and Twitter accounts (see Security Firm: 1.2 Billion Credentials Hacked).
The FBI's associated application for a search warrant relating to "information associated with email@example.com that is stored at premises controlled by Microsoft," dated Dec. 30, 2014, and executed in January, was made public last week by a federal court in Milwaukee, as Reuters first reported.
The FBI's probe was prompted by Alex Holden, CISO of Milwaukee-based Hold Security, warning in August 2014 that he had discovered "what could be arguably the largest data breach known to date." Hold Security dubbed the group CyberVor - "vor" is Russian for thief - and said the gang amassed the stolen credentials at least in part by scanning websites for known flaws, such as SQL injection vulnerabilities, ultimately amassing 1.2 billion username and password combinations, more than 500,000 email addresses and 4.5 billion records in total.
At the time, however, Hold Security came under fire for appearing to have used the pronouncement to push its paid breach-notification service (see CyberVor Update: Hold Security Responds).
In the wake of Hold Security releasing its CyberVor warning, the FBI search warrant notes that the bureau contacted Holden to request further details, and notes that he would not detail precisely how he'd amassed the information - citing service-level agreements and competitive concerns - although said he'd obtained it from "self-professed hackers" and databases available on underground cybercrime forums.
Stolen Data: 263 GB
Holden, however, soon shared 263 GB of raw text files with the FBI, writes Eliot Mustell, a special agent for the FBI Milwaukee bureau's Cyber Crimes Task Force, in the search warrant application. "A review of this information revealed text files containing, inter alia: username and passphrase credentials, credit card information, Social Security numbers, email addresses and file transfer protocol (FTP) accounts." The FBI says it also found domain names tied to a known spamming outfit, as well as executable files designed to send spam and exploit SQL injection flaws to dump data from Internet-connected databases.
Two of the test email addresses associated with the malicious applications found by the FBI were "firstname.lastname@example.org" and "email@example.com," the bureau says. Both of those services are run by Microsoft. As the FBI notes, both of the email addresses potentially lead back to people engaged in illegal activities, since "test email addresses allow a spammer to send email to the test accounts to verify that the spam is working correctly ... and troubleshoot any potential issues with the spamming utilities."
The search warrant reports that Microsoft shared subscriber information for firstname.lastname@example.org on Oct. 2, 2014, and listed the registrant as residing in the state of Kursk in southwestern Russia. But the FBI said the email address was registered from an IP address tied to a virtual private server and domain hosting company, which criminals often use to mask their identity, while subsequent log-ins were made from an IP address with a Luxembourg-registered service (see Hacker Havens: The Rise of Bulletproof Hosting Environments).
FBI Hits Hacker Forum
But the FBI notes that "hackers and spammers will frequently reuse online nicknames or monikers in order to create a consistent online identity," and the search warrant says that bureau agents logged onto the Russian hacking forum "exploit.in" and found that a user named "mr.grey" had participated in discussions related to spamming and malware. It says mr.grey also offered to provide hacked accounts for multiple social networking sites, including Facebook, Twitter and VK, which stands for the Russian site VKontakte.
Alex Holden didn't immediately respond to a request for comment on the Reuters report. But Holden tells Reuters that mr.grey's message indicates that he either operated or had access to the database containing the more than 1.2 billion stolen records that he found.
An FBI spokeswoman declined to comment on the status of its investigation.
Insecure Website Warnings Continue
In the wake of Hold Security releasing its report in August 2014, some security experts questioned the veracity of the report, while others used it to warn of widespread website security shortcomings, including the ongoing prevalence of easy-to-exploit SQL injection flaws (see 5 Facts About CyberVor Report).
Indeed, less than one year later, British telecom giant TalkTalk was breached - and customer data stolen - allegedly via a SQL injection attack launched by a gang mostly comprised of teenagers. To date, however, TalkTalk has declined to confirm or deny how its systems were breached, citing an ongoing police investigation.