SafeBreach Researchers used Google’s own VirusTotal to find and retrieve more than 1,000,000 credentials, exfiltrated by different types of malware and unencrypted cryptocurrency wallets. VirusTotal is a free service offered by Google that checks suspicious files using dozens of antivirus engines. With just a single VirusTotal license, researchers gained access to the suspicious files and were able to use Google’s own tools to search for files containing the stolen credentials. Excerpts:
(Google VirusTotal) … provides extensive search capabilities for a licensed user, allowing them to query the VirusTotal dataset by a combination of dozens of queries: filetype, filename, submitted date and country and file content are just a few examples. … we developed the idea of “VirusTotal hacking,” based on the known method of “Google hacking.” With Google hacking, criminals use Google to search for vulnerable websites, IoTs, installed webshells, and sensitive data leaks. Because VirusTotal employs Google’s more advanced search APIs, we believed it had the potential to enable turbocharged Google hacking.
The results were huge. In just a few days, we were able to collect more than 1,000,000 credentials, exfiltrated by different types of malware and unencrypted cryptocurrency wallets. We also discovered a market that publishes a small amount of victims’ data for free as a teaser, with an additional site and Telegram channel that offers larger amounts of victims’ exfiltrated data for sale.