How we found more than 1.5M user credentials on a public website with Google Dorks queries

Including Spotify, Gmail, Netflix, Facebook and other big ones …

CERT CYBERPROTECT <csirt@cyberprotect.fr>
By Rémi ALLAIN <remi.allain@cyberprotect.fr>

Wednesday, Nov. 14, 2018

The files mentionned in this article were never stored on one of our machines at any time.
The work was only done on publicly accessible data.
We have reported the necessary information to the relevant authorities and services.

It all starts with a link

While we were investigating on an alert reported to our SOC, we were landed on a famous hacking forum on the dark net. This is where, with a lot of surprise, we found a link (not related to the investigation) pointing to a text file stored on a website (not in the dark net).

This file contained a hundred of users credentials for the Spotify premium service. What aroused our curiosity was the freshness of the information, less than 2 months. It is common to find files of this kind, it usually corresponds to databases that have been hacked and then distributed. However, when those files are publicly available, their data are usually outdated.

So we tried to answer a question, where did this data come from? how was it acquired?

Let’s start our investigation!

Investigating on the sources

The second point that caught our attention was the format of the url. Like a CMS, the file path respected this format :

http://{subdomain}.{domain}.{tld}/{year}/{month}/{day}/{3-digits}/{19-digits}.txt

To find if there were more files like this on the website, we have used some Google Dorks queries (more information on this technique here).

Below an extract of queries we have used:

site:{domain}.{tld} password
site:{domain}.{tld} email
site:{domain}.{tld} login
site:{domain}.{tld}/{year} password

Jackpot ! More than five hundred of text file containing passwords have been found. In add, the results contained a lot of other files such as PDF, Docs, Scripts, etc.

After many hours of deep dive into those files, we were able to identify where the data came from. We detailed below the two most important sources (almost 50% of the data retrieved).

#1 Nocturnal Stealer

Nocturnal Stealer

Nocturnal Stealer is a malware first seen in March 2018 for the price of $25. It’s an information stealer as his name indicate. His strength is the ability to steal data from a wide range of product,

including 28 different kinds of cryptocurrency wallets, saved FTP passwords within FileZilla, and Chrome and Firefox browser information (such as login credentials, cookies, web data, autofill data and stored credit cards). It also zips up system data, including IP address and language, machine ID, date/time, installation location, operating system, architecture, username, processor type, video card info and a list of all running processes, to send to the C2 server.
https://threatpost.com/nocturnal-stealer-lets-low-skilled-cybercrooks-harvest-sensitive-info/132422/

The program therefore collects informations (passwords, login, wallet, etc.) and saves it in files (informations.txt, passwords.txt, etc.) that will then be sent to a C&C server.

I will not re-do a deep analysis, you can find good one here : https://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap

What interests us is the correlation with the freshness of the data. And we are able to say that more than 120 distinct people have been powned by this malware (based on retrieved data).

#2 Spotify Brute & NordVpn Cracker

An other big source are results from tools crafted by a hacker called `m1st`. He provide cracking tools like Spotify Brute and NordVpn Cracker, two brute-force software.

Spotify Brute

Those tools first appear around December 2017, data from these tools are therefore less reliable. Although they can always be up to date if the attack has been carried out recently.

The passwords storing problem

Beyond the fact of being infected by an information stealer, the real problem is how passwords are stored on hosts. This can be illustrated with FileZilla :

FileZilla is an FTP client software that stores its history as plain text in file recentservers.xml, and stores its login data as plain text in file sitemanager.xml. pwgrab32 can easily obtain their history records and credentials by parsing these two XML files.
https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html

What’s more, nowaday, majority of web browser provide a password storing and autofill feature. Even if it’s useful, storing sensitive data in a browser password manager is generally a terrible idea.

For example, the Firefox built-in password manager stores the encrypted credentials in a file called `logins.json` The usernames and passwords stored are encrypted with a key that is stored in the `key4.db` file. Both files can be located in the filesystem. Then it’s very easy to decrypt data, especially with Metasploit modules.

The Google Dorks problem

This is not the first time sensitive data are retrieved thanks to Google Dorks. Last summer a security researcher, Kushagra Pathak, demonstrated how he found passwords and sensitive information on public Trello boards with a Google query.

https://medium.freecodecamp.org/discovering-the-hidden-mine-of-credentials-and-sensitive-information-8e5ccfef2724

In Cybersecurity, those queries are often one of the first steps to find informations about targets.

Solutions

Simple solutions can prevent you from ever finding your information in these types of files.

  1. Use strong password (10 min. length with alphanumeric and special characters, upper and lower case)
  2. Use 2FA (two-authentication factor) as much as possible, sadly all services doesn’t provide it.
  3. Don’t use your browser built-in password manager. Prefer solutions like TeamPass or LastPass.
  4. Use an anti-virus and/or network system that detect data leakages. Like the FortiClient and more with the Fortinet Security Fabric.
  5. Regularly check public informations about your organization with Google queries.

With Cyberprotect, enjoy the cyberserenity experience