SafeBreach Researchers used Google’s own VirusTotal to find and retrieve more than 1,000,000 credentials, exfiltrated by different types of malware and unencrypted cryptocurrency wallets.  VirusTotal is a free service offered by Google that checks suspicious files using dozens of antivirus engines. With just a single VirusTotal license, researchers gained access to the suspicious files and were able to use Google’s own tools to search for files containing the stolen credentials.  Excerpts:

(Google VirusTotal) … provides extensive search capabilities for a licensed user, allowing them to query the VirusTotal dataset by a combination of dozens of queries: filetype, filename, submitted date and country and file content are just a few examples. … we developed the idea of “VirusTotal hacking,” based on the known method of “Google hacking.” With Google hacking, criminals use Google to search for vulnerable websites, IoTs, installed webshells, and sensitive data leaks. Because VirusTotal employs Google’s more advanced search APIs, we believed it had the potential to enable turbocharged Google hacking.

The results were huge. In just a few days, we were able to collect more than 1,000,000 credentials, exfiltrated by different types of malware and unencrypted cryptocurrency wallets. We also discovered a market that publishes a small amount of victims’ data for free as a teaser, with an additional site and Telegram channel that offers larger amounts of victims’ exfiltrated data for sale.

Experts Comments

January 20, 2022
Nasser Fattah
Executive Advisor
Shared Assessments

Cybercriminals typically enrich leaked and stolen credentials (the common user ID and password) with date-of-birth, phone numbers, security questions, including answers, and other relevant information that can be easily used for identity theft and account takeover - both with the intent to commit fraud. Note many of these leaked/stolen credentials stem from third-party breaches and rely on people reusing the same password to authenticate to multiple sites. Why bother with brute force attacks

.....Read More

Cybercriminals typically enrich leaked and stolen credentials (the common user ID and password) with date-of-birth, phone numbers, security questions, including answers, and other relevant information that can be easily used for identity theft and account takeover - both with the intent to commit fraud. Note many of these leaked/stolen credentials stem from third-party breaches and rely on people reusing the same password to authenticate to multiple sites. Why bother with brute force attacks and cracking passwords when active, valid credentials can be bought in lots.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.