Five million Gmail credentials posted online

According to reports that started to appear on Reddit and other forums on September 9, some five million account credentials were published that have a Gmail address as the user name. For example, if you subscribed to a newsletter on the site using as your user name and the password thumbsup then it is is possible this may have been made public. How? Possibly was hacked at some point in the past.

The site where the data was published referred to itself as Bitcoin Security and the language of the site that published the email addresses with matching passwords is Russian.

Some people who reviewed the data said that in most cases, the passwords were five years old and did not allow access to their accounts. However, apparently some were still current and reports of attempts to use the credentials have been seen. The assumption is that this compromised data is a collection of credentials obtained by phishing campaigns or malware attacks over recent years.

A website called appeared during the day purporting to allow people to check if their Gmail address had been compromised. However, as of right now, it does not appear to be functioning correctly and frankly I would not go there. Instead, you can check your email address at this site — Have I been pwned — which is run by Troy Hunt, a trusted Microsoft MVP.

The Russian site CNews was the first to publish a story about the credentials and connected them to other recent leaks such as the one affecting Yandex, a popular search engine in Russia. Later TheDailyDot published a screenshot of leaked credentials belonging to Spanish, English and Russian speakers.

Representatives from Google and Yandex issued assurances that their systems had not been compromised, but as mentioned above, the keys had been stolen by phishing campaigns and unauthorized access to user accounts (in other words, not leaked by the system for which the credentials were created, but by users of those systems).

Obviously, Gmail account credentials themselves are of great value, given that they provide access to so many Google services, such as Google+ and Google Maps. Access to those two services alone could potentially reveal your home address and allow a stranger to see who your friends are. The lesson here is that if you use a Gmail address as a user name at some site or online service, you should NOT use your Gmail password with that. Remember: different passwords for different sites/services.

For safety’s sake, I just went and changed my Gmail password and I suggest you consider doing the same, even though it is a real pain. I already have two-factor authentication enabled on my Google account and recommend you do this for Google and other accounts that support it. Here is a handy list for some popular services that offer 2FA:

I hope this helps. I also hope we see some arrests of the criminals who keep exposing other people’s private information: doing so is illegal in most countries and a total jerk move wherever you live.

by Stephen Cobb, ESET & Sabrina Pagnotta, ESET LATAM

About life, universe, radio, trojans, cybercrime and everything…


…ok, maybe a bit less about the universe and everything, but definitely about radio, trojans and cybercrime. :)

Yesterday I was again given the opportunity to talk to their listeners about cybersecurity by Community Radio Youghal 104FM. As I have already pointed out in a previous blog ’Listen to the radio’, along with my gratitude for giving me a chance to help their listeners stay safe online, it is very important for people to stay informed about latest threats, so that they may better know how to avoid them.

It is the cybercriminals’ job to keep coming up with new tricks (and new variations of old ones) all the time, in order to keep making money off their victims. According to one of our surveys, one in four Irish has lost money because of cybercrime, with total damages going into hundreds of millions. On the other side, in the IT security business, it is our job to prevent that from happening. A cat and mouse, cops and robbers game, but one in which computer users can actually make a huge difference if they take proper defensive measures.

In yesterday’s radio chat, the most attention was paid to a Trojan, that’s been hitting Irish mailboxes lately, disguised as a purchase order email. As was pointed out, the cybercriminals are using people’s curiosity to get them to install the malware on their own computers, but the scary thing about the Trojan itself is that people won’t even know it’s there. It doesn’t crash or slow down their computer; it just sits there quietly, making their computer completely vulnerable to cybercriminals to remotely control it for whatever nefarious purposes they chose. They could make it into a ‘zombie’, a part of a botnet, used to send spam mail, participate in hacking attacks or for distributing illegal content. All without the owner knowing anything about it, until, possibly, the law enforcement shows up at their door…

So, this is just one of the many types of threats preying on the unwary, there are many new ones being devised by the bad guys as we speak. But the internet is not that unlike the real world. Sure there are dangers and bad people around, but if you act responsibly and are aware of your surroundings, it is a fun and pleasant thing to explore. So rather than imagine the cyber-world as a dangerous place, know its bad sides and avoid them. Want to know ‘how to’? ESET Ireland’s blog’s ‘how to’ selection is a good place to start. Or listen to the radio. ;)

by Urban Schrott, ESET Ireland

Monthly Threat Report: August 2014


The Top Ten Threats


1. Win32/Bundpil

Previous Ranking: 1

Percentage Detected: 2.18%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address, and it tries to download several files from the address. The files are then executed and the HTTP protocol is used.  The worm may delete the following folders:


2. JS/Kryptik.I

Previous Ranking: 2

Percentage Detected: 1.83%

JS/Kryptik is a generic detection of malicious obfuscated JavaScript code embedded in HTML pages; it usually redirects the browser to a malicious URL or implements a specific exploit.


3. Win32/Adware.MultiPlug

Previous Ranking: 7

Percentage Detected: 1.53%

Win32/Adware.Multiplug is a Possible Unwanted Application that once it’s present into the users system might cause applications to displays advertising popup windows during internet browsing.

4. Win32/RiskWare.NetFilter

Previous Ranking: 3

Percentage Detected: 1.46%

Win32/RiskWare.NetFilter is an application that includes malicious code designed to force infeted computers to engage in unwanted behaviour. It allows an attacker to remotely connect to the infected system and control it in order to steal sensitive information or install other malware.


5. LNK/Agent.AK

Previous Ranking: 4

Percentage Detected: 1.4%

LNK/Agent.AK is a link that concatenates commands to run the real or legitimate application/folder and, additionaly runs the threat in the background. It could become the new version of the autorun.inf threat. This vulnerability was known as Stuxnet was discovered, as it was one of four that threat vulnerabilities executed.


6. Win32/Sality

Previous Ranking: 5

Percentage Detected: 1.38%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature:

7. INF/Autorun

Previous Ranking: 8

Percentage Detected: 1.2%

INF/Autorun is generic detection of the AUTORUN.INF configuration file created by malware. The AUTORUN.INF file contains the path to the malware executable. This file is usually dropped into the root folder of available drives in an attempt to autorun a malware executable when the infected drive is mounted. The AUTORUN.INF file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer


8. HTML/ScrInject

Previous Ranking: 6

Percentage Detected: 1.13%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.


9. Win32/Ramnit

Previous Ranking: n/a

Percentage Detected: 1.1%

It is a File infector that executes on every system start. It infects dll and exe files and also searches htm and html files to write malicious instruction in them. It exploits vulnerability on the system (CVE-2010-2568) that allows it to execute arbitrary code. It can be controlled remotley to capture screenshots, send gathered information, download files from a remote computer and/or the Internet, run executable files or shut down/restart the computer.


10. Win32/Conficker

Previous Ranking: 9

Percentage Detected: 1.08%

Win32/Conficker is a worm that spreads by exploiting a vulnerability in Server Service. The file is run-time compressed using UPX. When executed, the worm copies itself into the %system% folder using the name %variable%.dll.

The worm starts a HTTP server on a random port and it connects to remote machines to port TCP 445 in attempt to exploit the Server Service vulnerability. If successful, the remote computer attempts to connect to the infected computer and download a copy of the worm.

The worm will attempt to download several files from the Internet, and then they are executed. The worm contains a list of (1) URLs. Windows Firewall is disabled. This vulnerability is described in Microsoft Security Bulletin MS08-067.

UK under attack by ‘Royal Mail’ phishing, carrying TorrentLocker

Three weeks ago, iSIGHT Partners discovered a new Ransomware encrypting victims’ documents. They dubbed this new threat TorrentLocker. TorrentLocker propagates via spam messages containing a link to a phishing page where the user is asked to download and execute “package tracking information”. In August, only Australians were targeted with fake Australian Post package-tracking page.

While tracking this new threat, ESET researchers found the malicious gang is targeting new victims. Internet users from the United Kingdom should be aware that fake Royal Mail package-tracking pages are online and distributing TorrentLocker.

Royal Mail phishing pageRoyal Mail phishing page

The scheme is the same: you type a captcha then click to download a zip file containing the executable payload. It is interesting to note that the fake Royal Mail page will only show if the visitor is from the UK. Filtering seems to be based on the IP address of the request. If the request does not come from a UK IP address, the victim will be redirected to Three new domains are hosting the fake Royal Mail page:

  • registration registration information

As you can see, registration date for these domains is September 2nd so this campaign started very recently.

Executable file propertiesExecutable file properties

Encrypted files in users' picturesEncrypted files in users’ pictures

Warning is shown upon execution of the malwareWarning is shown upon execution of the malware

Once installed, victims’ documents are encrypted and they are being asked for a ransom of 350 GBP if paid within 72 hours or 700 GPB otherwise. Payment is done via Bitcoin transaction (1.19 BTC or 2.38 BTC). To hide their infrastructure, the web server is hosted on a .onion host on the Tor network.

To make it is easy for victims to access the web page, TorrentLocker is giving links to Tor2Web nodes so they don’t have to install additional software to reach the .onion website. Interestingly,, the domain name of one of the suggested Tor2Web node, was registered only 2 weeks ago. Perhaps its purpose is only to allow TorrrentLocker’s victims to contact the server selling the decryption software.

"Decryption software" sold on the Tor network“Decryption software” sold on the Tor network

This threat caries the TorrentLocker name because it uses the “Bit Torrent Application” Windows registry key to store its settings. It is unrelated to the BitTorrent protocol.

The Bitcoin trail

Bitcoin transaction detailsBitcoin transaction details

As discovered by iSIGHT Partners, the Australian variant they analyzed asked for Bitcoins to be sent to 15aBFwoT5epvRK69Zyq7Z7HMPS7kvBN8Fg. In our case, the Bitcoin address changed to 13qm2ezhWSHWzMsGcxtKDhKNnchfP5Sp3X. If you look at the transactions on both wallets, the Bitcoins are then transferred to 17gH1u6VJwhVD9cWR59jfeinLMzag2GZ43.

Since March 2014, this Bitcoin wallet has transferred over 82 272 BTC. With 1 BTC currently valued at US$480, the total transactions are roughly equal to 40 millions US$. This wallet has been associated with other scams in the past, including wallet stealing and selling fake mining hardware. We do not know if this account is owner by the TorrentLocker gang or it is some kind of exchange service used by different groups.

Screenshot of a discussion on Hashtalk (now offline, retrieved from Google Cache)Screenshot of a discussion on Hashtalk (now offline, retrieved from Google Cache)

ESET products detect this threat as Win32/Filecoder.NCC or Win32/Injector.

SHA-1 hashes

  • 491C8276667074B502BD98B98C74E4515A32189B (exe)
  • 46A2426D7E062E76D49707B58A5DF28547CBC0F4 (zip)
  • 7C62651C5F4CB1C780C8E9C4692F3BF24208A61E (exe)



by Marc-Etienne M.Léveillé, ESET

AV-Comparatives Declares: “ESET Cyber Security Pro for Mac Provides Outstanding Protection”


ESET Cyber Security Pro achieved excellent results in the latest AV-Comparatives testing of protection for Mac users against Mac-specific and Windows malware.

ESET Cyber Security Pro, the Internet security software for Mac, was highlighted as outstanding by AV-Comparatives’ Mac Security Test and Review 2014. Testing by AV-Comparatives was for the detection of cross-platform malware targeting a wide range of platforms.

The AV-Comparatives test looked, among others, at malware and phishing alerts of Mac security software. With regards to ESET’s product it tested, it found the following:

ESET Cyber Security Pro provides outstanding protection against malware with a well-designed user interface. The main program window makes essential functions and information easily accessible and alerts are sensible. The help facilities are exemplary. ESET produced a perfect score in our malware tests, identifying all samples of both Mac and Windows malware.

We are pleased that ESET Cyber Security Pro scored a perfect 100% in the latest AV-Comparative test. Proven technology found in all ESET’s products povides comprehensive proactive protection against all known and unknown forms of threats targeting Mac users,” adds Ignacio Sbampato, ESET Chief Sales and Marketing Officer.

ESET Cyber Security Pro offers users a number of improved native functionalities together with the low system footprint, delivering Mac-like feel for users. ESET’s solution not only protects Macs it also eliminates Windows and Linux based threats preventing Macs becoming a platform for spreading malware. The new Anti-Phishing module ensures high level of protection as users explore the great online.

The Irish are being emailed a trojan downloader

ESET Ireland finds a trojan downloader in disguised as a purchase order email.

An email with a malicious attachment has been identified by ESET Ireland. The email pretends to be a “purchase order” confirmation email, but has an archive file attached. The email reads:


The receiver of the email is usually alarmed about a “purchase” they never made and want to investigate this, by having a closer look at the “detailed information on your purchase” the email mentions.

The attachment however doesn’t offer any “information”, but instead includes an executable file, which contains a variant of a trojan downloader, which ESET recognises as Win32/TrojanDonloader.Elenoocka. Elenoocka is a trojan which tries to download other malware from the Internet. It contains a list of 6 URLs and attempts to download several files from the addresses. The files can contain Win32/Kryptik.CKEY trojan, from the rather nasty family of Kryptik trojans which create malicious system files that hide deeply inside your operating system, avoiding detection and basically opening your computer for any sort of infections, the cybercriminals want to send your way.

A computer infected by a trojan like this one can be used by cybercriminals as a part of a botnet, without the owner even knowing and used for hacking attacks, distributing illegal content or sending spam.

ESET Ireland advises Irish computer users to avoid opening any unknown attachments to emails, particularly emails like this one, which are designed to play on people’s curiosity.

Although ESET users are protected against this infection, it is always goood to make sure your virus definitions are up to date and your operating system updates are regularly installed.

by Urban Schrott, ESET Ireland

Protecting your identity at school

The school season is right around the corner. Young people are targeted for data theft at 35 times the rate of adults – they are considered an easy target for both digital and physical theft. You can make going back to school an easier transition by ensuring your data and devices are secure both at school and at home. Even if you’ll be using the computers provided by your school’s libraries or labs, there are plenty of steps you can take to make your data safer.

Protecting Your Devices at School

If you’re using your own desktop, laptop or smartphone, there are two things to be concerned with: Physical and information theft. There are a few things you can do to minimize the odds of both types of theft, and mitigate the damage if either does occur.

  • Minimize the target
    Don’t leave your laptop or phone unlocked and unattended, whether you’re at home or in public – these items are easily grabbed when you’re not looking. And when you take your laptop with you in public, it’s best to carry it in a bag that doesn’t advertise what’s inside; laptop sleeves or carriers let people know exactly what you’re carrying.
  • Minimize the damage
    Installing a Tracker App will help you track down your device, should it be lost or stolen. And if the files on your device are encrypted, even if someone gets access to your computer, they won’t be able to profit from your information.
  • Beef up your security
    Physical loss and thefts are not the only ways to lose information on your phone. Malware and phishing are becoming increasingly common on mobile devices, so be sure to protect yourself. To protect yourself from phishing, make sure you’re using different passwords for all your different accounts, and pick a strong password for each. Using a password manager can help make this an easier task. Once you’ve got a good password, protect it: Don’t share it with others and don’t enter your password into sites you’ve visited via links in email or IM. To protect yourself from malware, install apps only from reputable apps stores, and scan those files with an anti-malware product before installing.
  • Be cautious on public Wi-Fi
    You can never be entirely sure who’s sharing the network with you on public Wi-Fi, so be extra careful when you use public Wi-Fi, like at school or at your local coffee shop. Use VPN software so that your web traffic will all be encrypted – it’ll help keep people from electronically eavesdropping on you.

Securing Your Data When Using Communal Machines

There may be times when you may need to use the computers that are provided by the school. You really have no idea who was using that computer last, or what they were doing before you got there, so you should probably assume the worst. It’s best to act as if anything you type or see on the screen can be recorded and act accordingly:

  • Do not use public machines to log into accounts, especially accounts that store financial information (e.g., bank accounts or credit cards).
  • Avoid online shopping, as someone could get not just your login credentials, but your credit card number.
  • If for some reason you do need to log into an account on a public machine, it is essential to change any passwords you may have used, when you get back to your own machine.
  • Browse in Privacy Mode if you can – if not, be sure to clear your browser history and all cookies.

Younger people may feel that their information is of lesser value than more established adults, because they may have smaller bank accounts or less-juicy data, and may not take security as seriously. Ultimately, it doesn’t matter how young you are – your data and identity are valuable to cybercriminals and correcting the problems caused by loss and theft is a pain, no matter your age. Protecting your data now will help you avoid those headaches.

by Lysa Myers, ESET We Live Security


Get every new post delivered to your Inbox.

Join 72 other followers