Researchers have discovered still a huge treasure trove of sensitive data, a dizzying 1.2TB database of login credentials, browser cookies, autofill data and payment information extracted by malware that has yet to been identified.
In total, NordLocker researchers said on Wednesday that the database contained 26 million login credentials, 1.1 million unique email addresses, more than 2 billion browser cookies and 6.6 million files. In some cases, victims stored passwords in text files created with Notepad app.
The stash also included over a million images and over 650,000 Word and PDF files. Additionally, the malware took a screenshot after infecting the computer and taking a photo using the device’s webcam. The stolen data also came from messaging, email, gaming and file sharing apps. Data was extracted between 2018 and 2020 from more than 3 million PCs.
The discovery comes amid an epidemic of security breaches involving ransomware and other types of malware hitting large companies. In some cases, including May’s ransomware attack on Colonial Pipeline, hackers have first gained access using compromised accounts. Many of these credentials are available for sale online.
Alon Gal, co-founder and CTO of security firm Hudson Rock, said this data is often first collected by malware installed by an attacker attempting to steal cryptocurrency or commit a similar type of crime.
The attacker will then “likely try to steal cryptocurrencies, and once he’s done with the information, he’ll sell it to groups whose expertise is ransomware, data breaches, and espionage. business, ”Gal told me. “These thieves capture browser passwords, cookies, files and more and send them to the [command and control server] of the aggressor.
NordLocker researchers said there was no shortage of sources for the attackers to secure this information.
“The truth is, anyone can get their hands on custom malware,” the researchers wrote. “It’s inexpensive, customizable, and you can find it all over the web. Dark web ads for these viruses reveal even more truth about this market. For example, anyone can get their own custom malware and even lessons on how to use stolen data for as little as $ 100. And personalization means personalization: Advertisers promise they can create a virus to attack virtually any app the buyer needs.
NordLocker was unable to identify the malware used in this case. Gal said that from 2018 to 2019, widely used malware included Azorult and, more recently, an information thief known as Raccoon. Once infected, a PC will regularly send stolen data to a command and control server operated by the attacker.
In total, the malware collected account credentials for nearly a million sites, including Facebook, Twitter, Amazon, and Gmail. Of the 2 billion cookies extracted, 22% were still valid at the time of discovery. The files can be useful in reconstructing the habits and interests of victims, and if cookies are used for authentication, they provide access to the person’s online accounts. NordLocker provides further figures here.
People who want to determine if their data has been scanned for malware can check out the Have I Been Pwned Breach Notification Service, which just uploaded a list of compromised accounts.
This story originally appeared on Ars Technica.
More great WIRED stories