Massive Malware Campaign Steals Everybody's Passwords

Who, or what, is NightHunter? And what do they — or it — want? Security researchers discovered last week that for the past five years, a mysterious group has been stealing user credentials from Facebook, Dropbox, Skype, Amazon, LinkedIn, Google, Yahoo, Hotmail, the Indian Web portal Rediff and several banks. Dubbed NightHunter, the campaign appears to have amassed an enormous database of stolen information.

The goals of the attacks remain unclear. NightHunter appears untargeted, simply interested in collecting as many user credentials as possible, according to Santa Clara, California-based security company Cyphort, which discovered and named NightHunter.

MORE: Best Free PC Antivirus Software 2014

The NightHunter campaign involves several different types of keyloggers, including Predator Pain, Limitless and Spyrex. What sets NightHunter apart — and has made it so difficult to trace — is the fact that the keylogging malware relays its captured data back to the criminals in an unusual way: by emailing it.

Most malware communicates with its operators using Web protocols such as HTTP or Internet Relay Chat. But the NightHunter malware uses the email protocol SMTP, which has been around since 1982. SMTP "is outdated and often overlooked, so it can be a more stealthy way of data theft," wrote Cyphort's McEnroe Navaraj in a company blog post disclosing the findings.

NightHunter's preferred method of infecting target computers appears to be via phishing emails, Navaraj says. These emails are sent to personnel in the finance, sales or HR departments of all sorts of large companies and organizations, and bear .doc, .zip or .rar attachments, sometimes with fake IDM or 7zip installers bundled in. Some of the phishing emails are crafted to appear to be from goods-resale agents.

In addition to logging user keystrokes, the NightHunter malware also gathers and relays information about the Web browsers, instant-messaging and email clients, password managers, Bitcoin wallets or video games present on an infected computer.

Since 2009, NightHunter has amassed such an enormous database of stolen credentials from the abovementioned online services that, according to Cyphort, whoever is behind the campaign is in a position to do some serious damage.

"The potential for analyzing and correlating the stolen data to mount highly targeted, damaging attacks is high," Navaraj wrote in the blog post. "The actors behind NightHunter can use the trove of stolen credentials to leverage big-data analytics and enable new cyberthreats, for purposes of extortion, credit card or bank fraud, stealing state secrets or corporate espionage."

Email or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Create a new thread in the Streaming Video & TVs forum about this subject
This thread is closed for comments
    Your comment
  • cats_Paw
    Very curious on the video games aspect...
    All the other ones make sence but games?
  • LRund
    Very curious on the video games aspect... All the other ones make sence but games?

    A couple of things to note about the games aspect.

    First, the illicit market for in-game assets ("gold selling") is over a billion dollars a year in transactions. Most of this comes from compromised accounts, and a billion dollars is enough to catch the interest of the cybercrime "big boys"; the moreso because law enforcement isn't going to do anything about it.

    Secondly, video game hacks are every bit as effective an entry point into your computer as a poisoned PDF or Java exploit; even better, actually, since the bad guy knows for sure that the software to be exploited is installed on your computer. Once you're compromised, the key loggers will happily record your online banking and finance transactions, the botnet clients will have you sending out goat porn, and your computer will be participating in DDoS attacks. It doesn't matter how you became compromised; the result is the same. You no longer own your computer, and the bad guys can then use it for anything they way.

    And let's not even talk about the common practice of using the same email address/password combination in video game logins as elsewhere...