This week Trustwave security researchers uncovered a criminally controlled web server that contains nearly two million stolen account usernames and passwords for many popular sites, including Facebook, Twitter, LinkedIn, Google and Yahoo. Over the past few days, news outlets worldwide have reported on the discovery, and many people, including our customers, have questions about the malware, its impact and how they can protect themselves.
What we know
Users most likely had their credentials stolen when they errantly clicked on a malicious link or attachment, or unknowingly visited a malicious website that installed data-stealing malware, known as "Pony", onto their computers. This malware then delivered their usernames and passwords to a botnet server. Pony malware has two methods of stealing credentials. First it scans through stored passwords in a user's browsers, email clients and other software. It also monitors web traffic to identify when a user is logging into a website and then attempts to steal the password.
Malware mitigation tips
Below is some general advice about protecting yourself against this and future attacks, which likely will take on similar characteristics.
Don't click on suspicious links or open suspicious attachments: One of the ways the Pony malware spreads is through email. If you weren't expecting an email that contains a link or an attachment, don't click on or open it. Social engineering scams often look like the real thing, so it's a good idea to also have in place an email security solution that analyzes inbound content and filters out links and attachments to malware.
Keep your computer patched and up to date: The Pony malware also can infect users' machines if they simply visit a booby-trapped website. Typically, these "drive-by download" installations take advantage of a browser plug-in that is out of date. Make sure all of your software is updated to the latest version, and consider a web security solution that can evaluate the intent of web pages and help strip out malware.
Run anti-virus: The Pony malware also can hit users that are tricked into installing a bogus product update. Avoid falling for these ruses, and ensure you are running updated anti-virus and intrusion prevention defenses.
Train your staff: Give your employees the know-how to protect your data and network from malware. Security Awareness Training helps reduce the chances that your business will become a victim of data-stealing malware.
Choose a complex and unique password: Having a strong and unique password wouldn't have protected you against this malware, but the server we came across showed that far too many people use easy-to-guess passwords and likely share them across different accounts. The most common password we discovered was "123456." Passwords that contain at least eight characters and are alphanumeric in their structure are less predictable and far more difficult to crack than shorter ones. Users should also use "passphrases" to make them easier to remember, such as "myD0g1sL0ud". Also, make sure you use different passwords for all of your online accounts.
Help from Trustwave
Trustwave offers a variety of technologies and services that helped automatically protect our customers from this and other forms of malware. They include Trustwave Secure Web Gateway, Trustwave Secure Email Gateway (MailMarshal) and Trustwave Managed Email Security (MailMax).
For more technical information about this recent threat, visit the Trustwave SpiderLabs Blog at: http://blog.spiderlabs.com/2013/12/look-what-i-found-moar-pony.html. The blog also will feature updates as they become available.
Dan Kaplan is the manager of online content at Trustwave.