At ESET Ireland, we have noticed that the media loves bombastic headlines. If well-known companies get hacked, if governmental institutions lose data, or if millions of passwords are compromised, the security company that first announces the news tends to receive a good share of publicity. This is why last week’s media frenzy about “1.2 billion passwords getting hacked by a Russian gang” raised many eyebrows.
What did the “report” actually say? Somewhere in south central Russia, a group of men in their twenties dubbed the CyberVor gang (“vor” means “thief” in Russian) is thought to be in possession of the largest known haul of stolen internet credentials – 1.2 billion usernames and passwords, together with 542 million email addresses stolen from some 420,000 different websites.
We’re not saying such a thing is impossible, as cybercriminal groups do collect such information via SQL breaches as was hinted in this case. These hacker groups also trade data on the cyber black market. So a gang intent on hoarding the largest database could with enough time amass the said amount of passwords. (“Russian hackers” is always a welcome topic that gets attention, even if the statistics sometimes contradict this, so the story got plenty of additional global coverage.)
And this is there the eyebrow raising begins. The company that revealed the incident is called Hold Security, a company very few people heard about before this story and, to our surprise, one that doesn’t even offer an address or phone number on its website. It did however get its story about the “massive hack” published in the New York Times just as the Black Hat and DEFCON conferences were ramping up in Las Vegas.
However, Hold Security did not reveal in any way how they discovered the attack, what exactly they discovered, what they obtained, and how – or if – they have disclosed this to the affected websites so the webmasters can take action. Cybersecurity expert Graham Cluley was among the first to express his concerns.
But what followed the shocking announcement left us even more baffled. Hold Security has since created a service in which it charges money for webmasters to find out if their websites were affected by the hack. This service is presented as a form, which is of course reminiscent of phishing attacks. Acknowledging this, Tony Bradley of Minimal Risk commented in his blog that the disclosure of the Russian password hack seems like an antivirus scam.
Kashmir Hill of Forbes made the connection between panic-mongering and making a profit in her article “Firm That Exposed Breach Of ‘Billion Passwords’ Quickly Offered $120 Service To Find Out If You’re Affected”: “The Internet predictably panicked as the story of yet another massive password breach went viral”, but in this situation, “you can pay ‘as low as $120’ to Hold Security monthly to find out if your site is affected by the breach.”
At ESET Ireland we agree it would be unwise to dismiss the possibility of such a hack, and website developers, for instance, should ensure that they have reviewed their code for SQL injection vulnerabilities as well as other commonly found flaws. Nevertheless, the scarcity of (or the refusal to present) evidence or additional info, as well as its questionable reaction, should leave us all wary of Hold Security and its true intentions.
More info on latest threats: eset.ie/blog.
About ESET Ireland
ESET Ireland will keep your hardware and software performing as it should. The company has hundreds of people around the world working hard every day so customers’ computers, tablets, smartphones and servers are properly protected. All with minimal impact on their performance.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.