Could a List of 17k Hacked Twitter Accounts be Worth Over $1B?
  • Table of contents

The author

user_image
Gil

Table of contents

Related Articles

Research

Facebook Hidden Friends Vulnerability (With “fb-hfc” released)

We reported the hidden friends vulnerability to Facebook; this lets attackers reconstruct the private Friends...
May 29, 2014
Learn more
Tech Talks

Welcome to The Cyber Feed

Over the past three decades, IT security solutions have developed to effectively secure most networks...
Jun 30, 2015
Learn more
Tech Talks

Could a List of 17k Hacked Twitter Accounts be Worth Over $1B?

Sep 1, 2016

Earllier this week, our threat intelligence analysts “stumbled upon” yet another list of passwords and emails of 17,000 Twitter users. Well, they didn’t really stumble upon the list, the list was picked up on a paste site by Argos Edge, our Threat Intelligence Platform.

Following further investigation, we found out that this is the work of a threat actor going by the name of Polidox. Polidox has been identified as a Danish cracker who targets various brands and companies, such as Twitter, Facebook, Minecraft, Twitter, Tumblr, WWE, etc. Furthermore, we discovered that in order to crack the accounts, the cracker used a tool named ‘Sentry MBA’, which is a popular tool for credential stuffing attacks.

Credential stuffing is an attack that tests stolen credentials against the authentication mechanisms on websites and mobile application API servers, to discover instances of password reuse across those applications, and enable large-scale account takeovers.

The reason we believe Polidox used the Sentry MBA stuffing tool is because he follows a similar pattern followed by known crackers which use credential-stuffing attacks (targeting multiple known brands which are known targets for these kind of attacks), and also because many of the credentials found in the leak were found in previous leaks of different companies, thus making them vulnerable for this kind of attack.

So What’s the Big Deal you Ask?

Well, imagine the following scenario:

A cybercriminal or a script kiddy, gets a hold of the list and puts a simple script together that uses the credentials on the list to access the 17,000 Twitter accounts and tweets something that looks very legit:

twitter.png

However, the tweet is not as innocent as you’d think. The shortened URL in the tweet, leads to a site that seemingly looks blank but has a hidden JavaScript call to some ransomware code.

try{document.body--}catch(dgsdg){e(a);}

Let’s Look at the Numbers

If we assume that, on average, each Twitter account has 10K followers and that we have a 10% conversion rate of people reading the Tweet and then clicking the URL, we get the following:

infographic.jpg

170,000 people infected by ransomware!

Looking the rates of ransomware payouts, which stand at 1-2 bitcoins ($569.65 – $1139.3), you get a mind blowing figure that a cybercriminal could make off this one list –

infographic2-2.jpg

So, no, not a billion dollars but enough to not work another day in your life. And, it’s even more than the Bangladesh heist!

As you realize, this leak is not limited to the actual users on it but also enables cyber criminals to take over their accounts and target their followers. This could mean that far more Twitter users will become victims of fraud and cybercriminal activities during the weeks and months ahead as a result of the leak.

Lastly, the fact that the credential stuffing tool was successful at validating 17K Twitter users, emphasizes the fact that people still(!) reuse passwords across multiple websites. A frightening and concerning fact, as this type of attack has exponential repercussions.

Uncover your compromised credentials from the deep and dark web

Fill in your business email to start