Salesforce.com Warning, Gmail Password Leak Shows Value Of Stolen Credentials

A recent warning from Salesforce.com about banking malware that began targeting some users of its platform and a stash of outdated Gmail passwords highlight the lengths that cybercriminals will go to steal account credentials, threat researchers say.

Most of the 5 million Gmail passwords that surfaced in an online forum turned out to be outdated and not pose a significant problem, according to Google, which ruled out a security lapse. Hold Security warned in August it found an enormous stockpile of pilfered data, including 1.2 billion unique credentials belonging to more than 500 million email addresses.

Password stashes, including those connected to web content management system consoles and FTP sites are frequently uncovered by security researchers when they discover hijacked servers used as drop sites for attack campaigns.

[Related: eBay Password Breach Prompts Security Best Practices Review]

Troy Hunt, a Microsoft MVP, security developer and blogger has set up a site called haveibeenpwned.com, where visitors can check whether an email address was among the account credentials stolen from a variety of recent breaches. The site has identified more than 168,000 victims associated with about 30 account credential data breaches, including the massive Adobe breach last year and the recent eBay data breach.

Cybercriminals continue to have great success tricking people into giving up passwords and other sensitive information, said Tom Arnold, co-founder and principal at San Jose, Calif.-based PSC. Standard email phishing attacks frequently net a big enough percentage of victims to make them worth the investment, Arnold said.

"Identity theft and stealing consumer account credentials continues to have a big payout for those involved in that kind of criminal activity," Arnold said.

Stolen account credentials were reportedly used by attackers who carried out the attack against retailer Target. The username and password to Target's web-based billing system was stolen from a heating and ventilation system service provider giving the criminals initial access.The Target breach, which involved at least 40 million credit and debit cards and information on 70 million customers, has so far cost the retailer $148 million in incident-related expenses. Many of the breach studies point out that 90 percent or more of breaches are carried out at least in part with stolen credentials, said Kenneth Leeser, president of Needham, Mass.-based risk management consultancy and reseller Kaliber Data Security.

"Once they were in they got some system credentials and once they had them they were able to move laterally through the system and execute the theft of the credit cards," Leeser said.

A bank account with a balance of $70,000 to $150,000 and the stolen account credentials associated with it costs about $300 or less on the black market, according to a Dell Secureworks analysis of stolen data for sale last year. The cost of Doxing services, to hire a hacker to harvest as much data on an individual, including email addresses and passwords, costs from $25 to $100, according to Dell Secureworks.The cost of Doxing services, the hiring of a criminal hacker to harvest as much data on an individual, including email addresses and passwords, costs from $25 to $100, according to the analysis.

For Salesforce.com users the Dyre malware could be a potent threat. The banking Trojan began targeting bank customers in April, turned its sites to some Salesforce users this month. The malware doesn't target vulnerabilities within Salesforce.com, but instead spreads by infecting the vulnerable system components of users to steal log-in credentials and other data from their systems.

"As a first step, we recommend you work with your IT security team to validate that your anti-malware solution is capable of detecting the Dyre malware," Salesforce.com said in its statement.

Dyre, also called Dyreza, initially spreads through spam campaigns. It can bypass encryption and has spread quickly through phishing attacks. Researchers saw some attack campaigns use Dropbox links to trick users into becoming victims. Once a system is infected, it can view SSL-encrypted browsing sessions and can bypass two-factor authentication, making it a dangerous threat.

Once it successfully infects a victim's PC, it uses a man-in-the-middle attack to sniff traffic, including encrypted communications between the victim's PC and the service they are using, according to Peter Kruse, the head of the CSIS e-crime unit which analyzed the threat in April.

The first victims included users of Citibank, Bank of America and RBS, Kruse said in an analysis of the threat in June. The campaign has been observed tricking victims into clicking on a link to install a phony Flash Player update.

PUBLISHED SEPT. 11, 2014