SpiderLabs, the advanced security team from information security firm Trustwave, reports that a Pony botnet has compromised about 2m accounts with some of the web’s most popular sites, as well as a high-profile payroll services provider.
Back in June, SpiderLabs researchers reported on a botnet controller called Pony 1.9 that had managed to steal hundreds of thousands of credentials from victims in just a few days. Since then, the team has seen many new instances of this botnet controller at work and its latest report cites the discovery of about 2m compromised account credentials.
In all, Pony was used to steal about 1.58m website log-in credentials, 320,000 email account credentials, 41,000 FTP account credentials, 3,000 remote desktop credentials and 3,000 Secure Shell account credentials.
Among that hoard of stolen information are details from some of the most popular websites and online services. Facebook accounts were hit most, followed by Google, Yahoo!, Twitter and LinkedIn.
Russian social networks VK and Odnoklassniki were also compromised, as was ADP.com, the website of Automatic Data Processing, which provides payroll services to about 620,000 businesses worldwide, including more than 80pc of Fortune 500 companies.
While geo-location data suggests that the attack targeted The Netherlands, further research into the IP log files revealed that many of these entries come from a single IP address, suggesting that the attackers used a gateway or reverse proxy in order to keep the command-and-control server – which is also said to be based in The Netherlands – hidden.
In fact, SpiderLabs researchers believe the attack compromised accounts in more than 100 countries.