A Russian cybercriminal gang so far has stolen 4.5 billion credentials, of which 1.2 billion appear to be unique, Hold Security announced Tuesday.
The credentials belong to more than 500 million email addresses.
Two reports, also released Tuesday, may help explain why the cybergang was so successful.
About 92 percent of the 800 top consumer websites evaluated, and 96 percent of the top 50 United States federal government agencies checked, failed the Online Trust Alliance’s (OTA)2014 Email Integrity Audit.
Also, Trustwave cracked about 92 percent of 637,000 stored passwords collected during penetration tests in 2013 and 2014, according to itsGlobal Security Report 2014.
Further, weak or default passwords contributed to one-third of the compromises Trustwave investigated.
“The OTA has briefed the White House and members of Homeland Security on this topic,” OTA President Craig Spiezle told TechNewsWorld. “It’s not so much that the infrastructure is too weak to handle internal threats, but rather there’s a weakness in how consumers and citizens can potentially be abused.”
More on Our Russian Friends
Hold Security has dubbed the Russian cybergang “CyberVor” — the word ‘Vor’ means ‘thief’ in Russian.
The gang first targeted the owners of stolen credentials purchased on the black market.
Earlier this year, it launched SQL injection attacks to steal users’ credentials after getting data from botnets that had identified more than 400,000 potentially vulnerable websites.
CyberVor hit “many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites,” Hold reported.
Division of Labor Sucks
Corporations and government agencies need to look at both internal threat vectors and threats from which consumers and the public must be protected, the OTA’s Spiezle said.
“Unfortunately, there is currently a disconnect between IT departments, brand protection initiatives, marketing staff and security teams, which hinders such attempts at a holistic approach.”
Issues With the Hoi Polloi
Consumers and corporate users have to shoulder part of the blame.
Spearphishing “accounts for as much as 90 percent of targets” because it appears to come from known sources, Gerry Grealish, CMO at Perspecsys, told TechNewsWorld.
Spearphishing emails are always improving, but people are not always educating themselves,” said Jonathan Sander, strategy and research officer at STEALTHbits Technologies.
On the other hand, it’s getting harder for the average person to tell the difference between legitimate emails and spam — both of which contain links, he told TechNewsWorld.
Human psychology plays a role. For example, people “have a preconceived notion that they are not targets . . . and most spearphishing emails play of human emotion,” Christopher Martincavage, senior sales engineer at SilverSky, told TechNewsWorld.
Changing passwords regularly is difficult, because people “have far too many websites they use for this to be really practical without a good password manager,” Eric Cowperthwaite, vice president of advanced security and strategy at Core Security, told TechNewsWorld. He has “at least 50 different places” that he logs into routinely.
As for weak passwords, people “are trying to get through moments, not lifetimes, when they are making a password choice,” Sander pointed out.
The IT Problem and Some Solutions
“Many IT organizations have tight budgets, and when it comes down to a balance between business and technology, most of the time the business side wins,” remarked Gerry Texeira, director of product management at WWPass.
Advanced malware zips right past corporate firewalls, so “newer approaches which neutralize the data itself from the impact of a breach . . . such as encryption and tokenization . . . are proving very effective,” Mark Bower, vp product management & solutions architecture at Voltage Security, told TechNewsWorld.
WWPass offers a cloud-based multi-factor authentication and privacy protection system that encrypts user data, fragments and disperses it across the cloud in 12 separate locations worldwide, and requires the use of a physical PassKey token to authenticate the user.
“We don’t even know who you are,” Texeira told TechNewsWorld, “and if someone hacks one server, they only get a piece of the puzzle.”