By Hayley Tsukayama
The Washington Post
Hackers using malicious software have scooped up the usernames and passwords for about 2 million accounts on some of the most popular sites in the Web, including Facebook and Google, security researchers say.
According to the researchers from the Chicago-based firm Trustwave, hackers used a botnet known as Pony to pull off the massive theft. After being downloaded through a website or email, the software monitors a user’s browser, collecting their login credentials.
The massive malware attack has been going on for at least a year, said John Miller, Trustwave’s security research manager.
Pony is a common malware tool, often sold and rebundled in hacking communities. It collects tens of thousands — sometimes hundreds of thousands — of passwords from websites, email providers and other accounts each day, Miller said. The malware is likely collecting far more information than Trustwave discovered, he said.
The attack is smaller than some recent Internet data thefts, such as the 150 million usernames and passwords taken from Adobe in November.
But the nature of the attack means there is probably little that the impacted companies can do to stop it because it targets Web users rather than company security systems, said Miller.
The attack has already snagged user credentials from popular websites such as Facebook, Google, Yahoo, Twitter and LinkedIn, according to Trustwave. But it also grabbed information from firms such as the payroll services provider ADP. One of the largest payroll companies in the world, ADP administers the benefits and payroll systems for more than 620,000 companies around the world.
Miller said that the kind of work ADP does makes it an attractive target for hackers.
“They’re a little different than Facebook,” he said. “You can use a Facebook account to spam people with, but ADP has banking information behind it.”
In a statement Wednesday, ADP said that is aware of the botnet and had determined that none of its internal networks or servers have been compromised. “To our knowledge, none of ADP’s clients has been adversely affected by the compromised credentials,” the company said in a statement.
Still, ADP said, the firm is requiring a password reset for the 2,400 of its clients who were affected by the attack out of an “abundance of caution.”
Twitter, Facebook, Linkedin and Yahoo said that they are working with Trustwave to reset the passwords on affected user accounts on their networks. None commented on whether users’ accounts have been penetrated.
Google declined to comment on the malware attack.
Miller said that, ultimately, the onus falls on corporations and individuals to run regular antivirus scans on their computers. Companies can install software that prevents employees from downloading malware such as Pony, and individuals can do the same for their personal and home computers. Those targeted by the attack should also change the login information of any account that shares a username or password with the affected account.