Massive keylogger cache posted to

Details for thousands of accounts, from Facebook to PayPal, have surfaced over the weekend on The details, which come from keylogging software, appear to have been dumped automatically to the site based on observations from BitDefender, who tipped The Tech Herald off to their existence on Friday.

Along with usernames and passwords, which are expected, the user’s browser details, computer name, and IP address are included with several reports. Keyloggers use simple and quick methods to transfer their information to the person controlling them. Usually the harvested data is shuffled to a remote FTP server or E-mail address.

However, BitDefender noted, “…this dramatically increases the possibility for the law [enforcement] to find out who the remote attacker is and to ultimately get him. Furthermore, the e-mail approach is extremely “noisy”: it is easy for a system administrator to spot the traffic, not to mention that antimalware utilities usually let users know when an E-mail leaves the system.”

To address that shortcoming, criminals, working hand-in-hand with their development counterparts, have developed keyloggers and data harvesting systems that will post their reports to the Web. This keeps things on the low, and is just one of the many places where such logs can be sent. Once online, they can remain relatively hidden and retrieved at will. The problem is that if the criminals can locate them, so could anyone else.


[This is an example of a keylogger data file on Pastebin.]

Analyzing the source code for some of the keyloggers out there, BitDefender discovered several modules available that would allow posting harvested data to, as well as other public places. BitDefender’s blog post is here.

After BitDefender alerted us to the cache and their subsequent blog post related to their discovery, we did some digging to see what remained. It is important to note that most of the keylogger posts have been reported and removed. Many of the entries have been scrubbed from Google’s cache and the site itself. However, some were available via cache on Bing and Yahoo over the weekend, and even now some of the keyloggers are posting new details.

What we discovered is an interesting sample of more than 3,000 entries (more than 4,000 without in the raw data), containing not just usernames and passwords, but the computer names, IP addresses, and browser preferences.

In some of the cases, it is clear that what was available on not only came from keylogging, but Malware that captured the stored authentication credentials within browsers, IM clients, and FTP applications. Also, there are several cases where it looks like a public computer was monitored, as the same system included details for several users. This could also be a sign of several users on a single system in a household.

The data collected by The Tech Herald includes U.S. accounts, but the majority of the data comes from users in Europe, especially Germany and France, with smaller samples from people in Russia, the U.K., and South America. Included in the harvested data are accounts that were accessed as recently as June 3, to accounts as old as January of this year.

The information dumps list accounts for O2, Vodafone, AT&T, Comcast, and Orange on the telecom front, but there are Webmail accounts, such as GMX, and, as well as a seriously large amount of online and desktop-based gaming accounts. This is telling, as most keylogging Malware targets gamers when it is seen in Europe, and Internet cafes are popular there too, which would explain the multiple accounts from the same system and location.

In addition, social networks are represented, including Facebook, MySpace, Hi5, Jappy, meinVZ, Twitter, Vimeo, Deviant Art, and Wer-Kennt-Wen. There are AOL, ICQ, MSN, Google Talk, and Yahoo messenger details. These accounts also lead to MSN, Yahoo and Google-based service accounts. Commerce-wise, there are Newegg accounts alongside EBay, PayPal, and dozens of other online merchants. A few of the users compromised exposed themselves to serious fraud given the constant presence of online banking details.

True, the social networking, banking, IM, Webmail, and other accounts exposed can cause problems. The number of ISP related accounts are an issue as well. Within the harvested information is router access, cPanel access, FTP access, domain name management, Dynamic DNS management, and hosting support accounts to name a few.

It could be argued that this isn’t news, given the low number of accounts and passwords discovered. At the same time, this isn’t the first time Pastebin has been in the news for inadvertently hosting harvested data.

Last fall, a cache of passwords from Hotmail appeared on the site. While removed, they were online long enough to have been accessed by an untold number of people before they were reported. It should be noted that once reported, the previous owner of Pastebin, Paul Dixon, acted quickly to pull them down.

However, 3,000 plus accounts is nothing to scoff at. The data that is in the raw list is enough to compile a massive Phishing or Spam list, as well as add to a dictionary for cracking use. In fact, one of the things we discovered while searching Pastebin was a brute force script for Facebook, as well as a Phishing kit targeting the social networking giant.

Another thing to consider is that even the passwords and accounts from January could still be valid, given the constant reuse of passwords. Adding to this is the other data contained in the lists, which could be leveraged for granular attacks on a network or person.

For example, some of the accounts compromised are community based forums for gamers, not to mention the accounts from Megaupload and RapidShare, clearly related to pirated material downloads.

Targeting those users with the latest 0-Day games, music, or movies would be an easy way to ensure that the data on the passwords lists are valid. The number of adult related sites and services is a second vector of attack, an old school ploy that has been used before. It’s been well established that many fly-by-night porn sites can cause problems by serving Spyware and Adware, and recently more malicious software.

The harvested data tells a common story. There’s a strong need to use different passwords depending on the function of the site. However, mixing up passwords between sites isn’t enough, they need to be strong passwords that would pose a bit of a challenge for the person or program guessing them.

One password, “tigger”, was used on Facebook, as well as Webmail and two different MSN accounts. It wouldn’t be that hard to guess such a password, and six characters is little challenge for most cracking programs. Tigger is also a “Winnie the Pooh” character. Common names, even fictional ones, should be avoided when constructing a password.

In addition, because of how the passwords were collected, it is worth mentioning that many keyloggers and information stealing programs can be blocked by using updated security software.

We’ve contacted the new owners of Pastebin to see how they plan to address criminals abusing their service. If they respond we will update this article with their comments. In addition, we plan to publish more details on the information we discovered later this week.

Like this article? Please share on Facebook and give The Tech Herald a Like too!

From our Other Sites

Awesome Stuff Made Out Of Car Parts

An awesome picture has started doing the rounds showing a bathroom with sinks made out of car tires and faucets created from gas pumps. It’s the ideal bathroom for any discerning car nut. That got us thinking — what other stuff is there made out of car parts and car paraphernalia. Here are some of the coolest […]

Range Rover Evoque Convertible Confirmed

Land Rover has officially confirmed that the Range Rover Evoque Convertible will go on sale in 2016. The company released some publicity photos showing a prototype of the Evoque Convertible driving through train tunnels under construction in London. The company says use of the Crossrail tunnels let them test the convertible in privacy. A Land […]

Mercedes-AMG GT3 Racing Car to Debut at Geneva Motor Show

The company says the standard Mercedes-AMG GT already provides the ideal base for the race model, with low centre of gravity, good weight distribution and wide track width.The driver sits on a carbon-fibre seat pan and is protected by a roll-over cage made from high-tensile steel.The engine cover, doors, front wing, sidewalls, side skirts, diffuser, […]

Lamborghini Aventador Wallpaper

Lamborghini Aventador wallpaper for your desktop or mobile device. The Aventador LP 700–4  has a 6.5 liter V12 that will go 0–60 mph in  2.9 seconds and take you all the way to 220mph and maybe beyond.Each image links to a page with multiple sizes of wallpaper you can download.

Man Makes Tiny Edible Pancakes with Tiny Kitchen Tools (Video)

This Japanese guy cooks up some pancakes…nothing special there right? Well he uses tiny implements to do it and makes perfect little pancakes. Kinda cool and they look tasty!

What Color is this Dress?

White and Gold or Blue and Black?
Well this one has been trending all over the web, just what color is this dress? It all started in Scotland when the mother of a bride-to-be sent a picture to her daughter asking what she thought of the dress. The bride and groom each saw the image differently, this then got posted online and picked up by some viral sites. The lighting in the photo is probably causing different people to see it as either white and gold or blue and black. Prof Stephen Westland, chair of color science and technology at a university in the UK told the BBC that it was impossible to see what other people see but that it […]

McLaren 675LT Pictures

Some great shots of the forthcoming McLaren 675LT. This coupe will get you to 60mph in less than 2.9 second and go all the way to 205mph.

McLaren 675LT Details

McLaren’s 675LT will debut at this year’s Geneva show and promises some eye-popping performance. The coupe only 675LT has a 3.8 liter V8 that will get you from 0-60mph in less than 2.9 seconds and to 124mph in less than 7.9 secondsMore than a third of the parts have been changed compared with its stable mate […]

McLaren 675LT Wallpaper

Some cool McLaren 675LT Wallpaper. The McLaren 675LT is the latest coupe to come from the supercar maker and has a top speed of 205mph.Click on an image to open a page with multiple sizes that you can download to use as wallpaper for your mobile or desktop.More McLaren Wallpaper.

Octopus hunts on land, grabs crab (Video)

This crab is minding its own business searching the rock pools for food when suddenly an octopus leaps out of the water and grabs it. The amazing thing is that the octopus does not just jump on the crab it actually pulls it all the way back to the rock pool it came from. If you check the second video you will see it is not unknown for octopus to come out of the water and the one in the second video has a crab with it, though is not hunting one! Octopus Walks on Land at Fitzgerald Marine Reserve The video was taken by Porsche Indrisie in Yallingup, Western […]