Researchers hijack botnet, score 56,000 passwords in an hour [ArsTechnica]
Computer security researchers at the University of California Santa Barbara happened upon a flaw in the way one malicious botnet received instructions from its masters, and managed to exploit the flaw to get a first-hand view of a botnet gathering up massive amounts of personal and financial information from victimized computers. While studying the Torpig malware program and associated botnet, the scientists discovered that the botnet was attempting to receive instructions from a series of domains that were not yet registered. So, the scientists decided to give the Torpig botnet the instructions it was looking for, registered the domains, and used the domains as a vantage point to observe Torpig at work.
Over the course of an hour, Torpig gobbled up 56,000 users' passwords, and over 300,000 unique login credentials were gathered over the entire period of time that the researchers followed Torpig. Some 28 percent of victims reused their login credentials across a series of web sites, meaning that when one login was compromised, all the user's logins were compromised. The scientists estimate that during their observation period, the criminals behind Torpig could have used the login information to make off with up to $8.3 million.
Torpig is just one of many botnets that operate on the Internet, comprised of millions of compromised computers which send out volumes of spam that contains malicious code designed to steal more personal financial information and co-opt other machines into the botnet. Vigilance is key to avoid falling victim to these scammers. I recommend using proven security software, following the scam alerts and using good common sense when it comes to email and web surfing. And, even though it might be more passwords than you care to remember, I recommend using separate passwords for each web site that requires login credentials. That way, if one is compromised, the others are not compromised as well.
Comments