My next class:
Reverse-Engineering Malware: Advanced Code AnalysisOnline | Greenwich Mean TimeOct 28th - Nov 1st 2024

Are Leaked Credentials Dumps Used by Attackers?

Published: 2023-08-04. Last Updated: 2023-08-04 07:46:31 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Leaked credentials are a common thread for a while. Popular services like “Have I Been Pwned”[1] help everyone know if some emails and passwords have been leaked. This is a classic problem: One day, you create an account on a website (ex: an online shop), and later, this website is compromised. All credentials are collected and shared by the attacker. To reduce this risk, a best practice is to avoid password re-use (as well as to not use your corporate email address for non-business-related stuff).

I’ve been watching dumps of leaked credentials for a long time. My goal is not to compete with the service above. I do this for research purposes and to track potential leaks for juicy domains. Most of the "combo" files that you can find on the Internet are compilations of old leaks but presented as "fresh", "verified" or "valid" by the attacker:

  • 250K-belgium-Combolist.txt
  • 300kusa.txt
  • 310k-yahoo-combos.txt
  • 75k HQ Valid mail access.txt
  • 83k mail_access.txt
  • 50K Combo private BY AmrNet1 All Site.txt
  • ...

The quality of these dumps is very poor. Most verifications I performed with 3rd parties always gave the same results: the account has not existed for a long time, our password policy has changed, etc.

In another life, I operated a free UNIX shell service and provided a free email address to users (linked to the shell access). Guess what? Many email addresses were lost everywhere and are part of many leaks (of course, mine was also leaked). My current credentials database contains 43 unique email addresses related to my domain rootshell.be. I stopped the free shell service for years, but my domain is still used today for personal purposes and catch-all addresses. So, I'm still collecting many emails sent to these old addresses.

But are these leaks used to try to get access to mailboxes (or other services)?

I searched my mail server logs to see if they were rejected authentication with these leaked accounts. Guess what? There are! Over the last six months, 27 unique logins (>50%) were used at least once. Here is the activity across the previous six months:

There are attempts every day, with peaks from time to time. Here is the top-ten of countries from where these connections occurred:

Netherlands

633

Vietnam

555

India

520

China

409

Russia

389

United States

356

South Korea

286

Brazil

247

Thailand

208

Gambia

185

Conclusion: Even if the quality of these dumps is very poor, they are used a lot in the wild! This is a perfect example of why you must safely manage your credentials!

[1] https://haveibeenpwned.com

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 comment(s)
My next class:
Reverse-Engineering Malware: Advanced Code AnalysisOnline | Greenwich Mean TimeOct 28th - Nov 1st 2024

Comments


Diary Archives