A few days ago, many friends around me had their passwords stolen, and when they were stolen, they were stolen in batches, and many different website passwords registered by themselves were stolen at the same time.
How are passwords stolen by hackers?
First of all, the account is stolen, the first suspicion is the problem of the computer being hit by a Trojan horse, hackers can use keylogging, phishing and other methods to steal passwords by implanting Trojan horses in personal computers. Therefore, the author checked the computers of several friends with stolen passwords around him and did not find any Trojan horses, and it was obvious that their accounts were stolen through Trojan horses.
Since it is not a problem with your own computer, then it is likely that the website that has been registered has been "dragged by someone to be dragged into the database", here is an explanation of the drag database, the so-called "drag library" is that the user data of the website is stolen by SQL injection or other means, and the username and password information of this website are obtained, and many well-known websites have issued "drag library" events, such as CSDN, Tianya, Xiaomi, etc., hackers will exchange and centralize the dragged down databases, forming one so-called "social work library" after another, The social work database stores a lot of account password information from the "dragged" website, so the author searched for a friend's account information on a social work database website commonly used by hackers, and sure enough, found the leaked account password:
It can be seen from the screenshot that the friend's password was leaked from 51CTO, and the password was encrypted with MD5, but it is not impossible to solve this password, and there are many websites on the Internet that can query the original text of MD5, such as searching for ciphertext on CMD5, and quickly discovering the original text of the password:
After successful decryption, log in to your friend's relevant account with the password, and sure enough, the login was successful. It seems that the way the password was leaked has been found. So, now the question is, how did hackers hack into multiple websites of friends?
Shocking underground database
At this time, it is time to sacrifice another tool of ours (www.reg007.com), because many people have the habit of using the same email address to register a lot of business, and through this website you can query what website has been registered with a certain email, the first time I saw this website, my friends and I were stunned, the following is the situation when querying a certain email, a total of 21 registered websites were queried:
In fact, many friends also have such a habit, that is, in order to facilitate memory, they will register all website accounts with the same account and password, whether it is a small forum, or a mall involving property such as JD.com and Tmall. This practice is very unsafe, and if one of the sites falls, all accounts will be at risk. Especially after the CSDN database leak in 2011, more and more websites have leaked databases, and these leaked databases can be found on websites at will. You can think about it, when your account password is the same, through the above steps, you can easily know what university you have been to (Xuexin.com), what work you have done (Future Worry-free, Zhilian), what you have bought (JD.com, Taobao), who you know (cloud address book), and what you have said (QQ, WeChat)
The following figure shows some of the social work database information exchanged by some underground websites:
What is said above is not alarmist, because there are too many websites that can "stuff credentials" in reality, and there are also many examples of large-scale "bank laundering", "credential stuffing" and "bank swiping" of black industries. Here is an explanation of these terms, after obtaining a large amount of user data through "dragging the library", hackers will monetize valuable user data through a series of technical means and the black industry chain, which is usually called "database washing", and finally the hacker will try to log in to other websites with the data obtained by the hacker, which is called "credential stuffing", because many users like to use a unified username password, and "credential stuffing" is often very rewarding.
Searching on the vulnerability submission platform "Dark Cloud", it can be found that many websites have credential stuffing vulnerabilities, and at the same time, the offensive and defensive sides have repeatedly defended against each other, and the attack method of "credential stuffing" has always been particularly popular in the black industry circle because of its characteristics such as "simple", "rough" and "effective".
The author once encountered a large-scale credential stuffing incident in a well-known mailbox in China during the project, and the following is some excerpts from the emails exchanged at that time:
Anomaly analysis
From about 10 o'clock this morning to the end of about 21:10 in the evening, there is an obvious abnormal login, which is basically determined to be hacking. Hackers use automatic login programs to initiate a large number of login requests from the same IP in a short period of time, with concurrent requests and high request frequency, up to more than 600 login requests per minute. Throughout the day today, a total of 225,000 successful logins and 43,000 failed logins occurred, involving about 130,000 accounts (2 logins per account);
The hacker logged in from the basic version of WAP, switched to the standard version after successful login, and turned off the login notification in the standard version, thus triggering a text message reminder with modifications to the mobile phone number bound to the account. From the log analysis, no other behavior was found after the hacker modified the login notification, and the hacker did not send any emails after logging in.
The preliminary analysis results are as follows:
1. The hacker uses the standard username-password authentication method to log in, and the authentication success rate is very high. Querying the logs of the last few days, no login attempts were found by these users. That is, the user password is obtained through other means, not by brute force cracking the password of the email system;
2. The registration place of users stolen by hackers is all over the country, with no obvious characteristics, and there are no obvious characteristics of the registration time;
3. Some usernames and passwords intercepted by capturing packets show that the passwords of different users are different, there is no similarity, and they are not simple passwords; I selected a few user passwords and tried to log in to 163 mailbox, Dianping and other websites, and found that the login was successful;
4. There are many sources of hacker login IP addresses, including Xi'an, Shaanxi, Ankang, Hefei, Anhui, Huangshan, Anhui, Huainan, and other cities. After we block the abnormal login IP, hackers can quickly change the login IP, causing our blocking to quickly become ineffective. We can only follow the hackers, and according to the frequency characteristics, we will only implement blocking after reaching a certain number.
5. The user's previous activity status will not be matched until tomorrow. But judging from the current situation, my personal preliminary guess is that there should be active and inactive users, and most of them should be inactive users.
From the above analysis, it can be basically seen that hackers already have the username and password information of these users on hand, and most of them are correct. Passwords may be caused by the leakage of various network password information before.
Safety advice
Finally, the author asks, do you want your password to be in someone else's hands, or does it exist in someone else's database?
In order to protect everyone's password, the author here gives you some password suggestions,
1. Regularly change your password;
2. The account password of important websites and the account password of non-important websites must be separated, such as Tmall, JD.com, etc., it is best to make the account password different;
3. The password has a certain complexity, such as more than 8 digits, including uppercase and lowercase letters and special symbols, in order to facilitate memory, you can use special cryptographic software to manage your own password, the more famous one is keepass;
I hope that through the above content, everyone can have a better understanding of password security, so as to better protect their personal privacy and property security.
|
Posted on 11/25/2014 6:10:15 PM
|
|
|
|
