10 million hacked accounts from breached data dumps for the most popular passwords

Welcome to the "Age of Cyber Attacks"

Right now every organization across the globe is vulnerable to data breaches. Consider the fact that in 2016 alone, there were 64,199 security incidents spread across 82 countries.

​
Staggering numbers from security experts suggest that over 95 percent of all corporations have experienced a data breach of some kind – many of which can go undetected for months or years. What’s interesting is that there is a striking similarity throughout the majority of confirmed breaches: 63 percent of confirmed attacks in 2016 involved weak or stolen passwords.

One of the biggest problem for the IT industry is user's bad habits. Weak passwords and their reuse on multiple websites every day potentially expose a billion users to cyberattacks.

It is not at all surprising that analysed 10 million hacked accounts from breached data dumps for the most popular passwords.

Despite the numerous awareness campaigns on a proper security posture, most used passwords continue to be "123456" and "123456789". Without any astonishment, "123456" accounts for 17 % of the overall amount of hacked accounts the firm used as data sample.

Disappointment over here is that the list of most popular passwords hasn’t changed over the years.

“Today’s brute-force cracking software and hardware can unscramble those passwords in seconds. Website operators that permit such flimsy protection are either reckless or lazy.”

2016 was another massive year for data breaches. The Keeper research team analysed over 10M passwords available on the public web, here's what they found:

• Nearly 17% of users are safeguarding their accounts with "123456"
• After years of data breaches due to weak passwords, website operators are still not enforcing password best practices.
• Website operators must take more responsibility for password security.

How common are these passwords?

• Top 25 passwords of 2016 constitute over 50% of the 10 million passwords that were analysed.

If my password is on the list, am I at risk?

• Yes. Any of these passwords can be compromised in seconds by dictionary-based cracking tools.

How to protect your passwords from getting hacked?

• Use a variety of characters: Use a variety of numerical, uppercase, lowercase and special characters to have greater protection against a brute force attack.

• Avoid dictionary terms: Dictionary cracks guess passwords using lists of common passwords (see left) and then move to the whole dictionary. This is typically much faster than a brute force attack because there are far fewer options.

Interesting: How can a Weather App found on Google Play remotely trick & break your screen lock pattern

New banking malware has been identified which is camouflaged as a weather forecast app on Google Play.

Malicious Weather App has been discovered by ESET Malware Research Team in google play store which can spy your Android phone and easily lock / unlock your Phone by break the existing pattern/Password.

This application was primarily detected by ESET as Trojan.Android/Spy.Banker.HU. The malware was a trojanized version of the otherwise benign weather forecast application Good Weather.

The malicious app managed to get around Google’s security mechanisms and was published in the store on February 4th 2017.

The trojan has been targeting 22 Turkish banking apps and has so far been downloaded by about 5,000 victims, whose credentials were harvested using vulnerable login forms.

Once downloaded the malware app besides weather forecast functionalities, has the ability to lock, unlock and intercept texts from the device. The malware not only accesses the victim’s banking credentials with its command-and-control server but is also able to avoid the bank’s two-factor authentication system because of its controls over all text functionality.

​Figure 1: Malicious Good Weather app on Google Play

​Figure 2: Malicious app description as found on Google Play

How does this app operate?

After the app is installed by an unsuspecting user, its weather-themed icon disappears. The infected device then displays a fake system screen requesting device administrator rights on behalf of fictitious “System update”. By enabling these rights, the victim allows the malware to Change the screen-unlock password and Lock the screen.

Figure 3: Green – legitimate Good Weather icon, Red – malicious version

Figure 4: Fake “System update” demanding device administrator rights

Together with the permission to intercept text messages obtained during the installation, the trojan is now all set to start its malicious activity. Users who are not alarmed at this point might be pleased with the new weather widget they can add to their home screens. However, in the background, the malware is getting to work sharing device information with its C&C server.

ESET Researcher’s said, "The trojan displays a fake login screen once the user runs one of the targeted banking apps and sends entered data to the attacker. Thanks to the permission to intercept the victims’ text messages, the malware is also able to bypass SMS-based two-factor authentication.

As for the device locking, we suspect this function enters the picture when cashing out the compromised bank account, to keep the fraudulent activity hidden from the user. Once locked out, all victims can do is wait until the malware receives a command to unlock the device."

Targeted Applications discovered by ESET

com.garanti.cepsubesi

com.garanti.cepbank

com.pozitron.iscep

com.softtech.isbankasi

com.teb

com.akbank.android.apps.akbank_direkt

com.akbank.softotp

com.akbank.android.apps.akbank_direkt_tablet

com.ykb.androidtablet

com.ykb.android.mobilonay

com.finansbank.mobile.cepsube

finansbank.enpara

com.tmobtech.halkbank

biz.mobinex.android.apps.cep_sifrematik

com.vakifbank.mobile

com.ingbanktr.ingmobil

com.tmob.denizbank

tr.com.sekerbilisim.mbank

com.ziraat.ziraatmobil

com.intertech.mobilemoneytransfer.activity

com.kuveytturk.mobil

com.magiclick.odeabank