The hugest collection of usernames and passwords has been filtered…or not (II)

ElevenPaths    4 February, 2019
Over the last entry we focused on analyzing the content of these files from a critical point of view, this is: on clarifying that when a massive leak freeing millions of passwords is announced, the reality is not entirely what it seems to be. After all, what it has been filtered is the collection of leaks, gathered over time by a certain group of people or by someone.
The leak we have examined has 640 Gb of content. We must clarify that it is not just the leak called “Collection #1” or the subsequent “Collection #2” and so on (the best-known ones). These types of collections are on the Internet, on several forums or uploaded on servers where anyone, with some patience, can access.

Even considering that the content of these files is not always the latest one, or that many data can be completely irrelevant, it is not only this aspect what we are worried about. These types of leaks make us feel vulnerable and show us sharply how privacy is marketed. However, there are other aspects to be analyzed. For instance, thanks to these leaks we can apprehend what are the interests of these traders, how these collections are built, what are the different origins of the files and (above all) what they are later used for.
From a constructive point of view, we are going to examine how the collection is structured as well as the potential origin of these files. We say “potential” because in most cases we cannot state categorically their origin with certainty.
On some files, the organization consists in TLD domains attributed to groups and countries. This would allow to target some kind of attacks (phishing and scam, in general) towards a certain type of organization or group with the same idiosyncrasy.

pc folders image

On this organization we can observe lists of leaks (very likely) coming from sites that could have been compromised, for extracting their databases as well as for injecting JavaScript code and consequently stealing the data from the form fields filled by the website visitors (who become then the second victims together with the website).

leaks list image

Sometimes, lists of thematic websites are gathered. This is interesting for attackers, since it allows them to successfully perform very targeted campaigns. Let’s imagine that the users of these sites receive an e-mail inviting them to enter their credit card data to gain a free month subscription or a discount. The attackers could even show the user’s password to be trusted. Of course, in case of pornographic or adults’ relations sites, they may also use the consumption of this kind of services as a mean of blackmailing users.

Video game selling sites list image

In the same way, they also have lists related to video game selling sites:

list image

As well as related to Bitcoin -or cryptocurrency in general- sites:

Cryptocurrency sites list image

There are more thematic divisions based on different types of services: purchases, streaming sites, etc.

The files usually include e-mails and passwords on a classic format: [email]:[password]. In other cases, information is rawly organized. This is, for instance, a direct database dump:

Direct database dump image

As a curiosity, we have created statistics based on the frequency of e-mail address domains in order to examine those that are more repeated within the various leaks. On the one hand, we must consider that some e-mails can be repeated in various files (we previously said that a high number of them were repetitions of the same e-mail within different leaks). On the other hand, certain e-mail services are more popular than other ones. Moreover, we must consider as well in which countries this leak can be more or less useful (in case of campaigns targeted by location).

Campaigns targeted by location image

Six of the domains are focused on Russia, two on France and two further domains on the United Kingdom. QQ is a service mainly used in China.

You may also be interested in:

Leave a Reply

Your email address will not be published.