Credentials Leaks on VirusTotal
A few weeks ago, researchers published some information about stolen credentials that were posted on Virustotal[1]. I’m keeping an eye on VT for my customers and searching for data related to them. For example, I looking for their domain name(s) inside files posted on VT. I may confirm what researchers said, there are a lot of passwords leaks shared on VTI but yesterday, there was a peak of files uploaded on this platform.
Here is the list of files I found yesterday and I’m pretty sure that it’s only the visible part of the iceberg!
-rw-r--r--@ 1 xavier rem 18925199 Mar 9 11:32 539K.TR.EMail.Pass.crackerteam.com.by-MeMaTi-22.txt -rw-r--r--@ 1 xavier rem 19723010 Mar 9 11:56 553K_TR_sauwick.txt -rw-r--r--@ 1 xavier rem 3487094 Mar 9 11:56 118k_combo_United_States.txt -rw-r--r--@ 1 xavier rem 17173723 Mar 9 11:58 518K.txt -rw-r--r--@ 1 xavier rem 4989847 Mar 9 11:59 145K-MAIL-ACCESS-VALID-HQ-COMBOLIST-MIX.txt -rw-r--r--@ 1 xavier rem 19757718 Mar 9 12:00 632k.txt -rw-r--r--@ 1 xavier rem 6557939 Mar 9 12:01 200K-NL.txt
It was time to gather some statistics. The total amount of credentials collected yesterday was 2.713.282. Amongst them, 2.163.756 were unique. Here is the top-30 of domain names extract from email addresses:
732702 hotmail.com 281541 aol.com 210844 gmail.com 206774 yahoo.com 67424 live.nl 63512 wanadoo.nl 59580 web.de 58987 hotmail.de 49680 comcast.net 48233 mail.com 45333 gmx.de 37792 mail.ru 26356 wanadoo.fr 26196 yandex.ru 25930 rambler.ru 19759 msn.com 19449 mynet.com 17839 orange.fr 17107 yahoo.ca 14748 aim.com 14596 hotmail.fr 14051 t-online.de 13265 live.de 12756 ymail.com 12748 live.com 10990 windowslive.com 10539 bellsouth.net 10167 arcor.de 9745 hotmail.nl
On the opposite, let's search for interesting domain names like the ones that contain the string ".gov":
86 tmo.gov.tr 85 sgk.gov.tr 60 icisleri.gov.tr 23 iskur.gov.tr 17 gsgm.gov.tr 16 saglik.gov.tr 16 estb.moe.gov.sa 12 rb.moe.gov.sa 12 gumruk.gov.tr 11 milliemlak.gov.tr 9 mkhb.moe.gov.sa 8 mkhg.moe.gov.sa 7 eskisehir-bld.gov.tr 6 schools.bedfordshire.gov.uk 6 sanayi.gov.tr 6 rg.moe.gov.sa 6 mb.moe.gov.sa 6 istanbul.gov.tr 5 egm.gov.tr 5 antalyadefterdarligi.gov.tr 4 tbmm.gov.tr 4 r1.deped.gov.ph 4 ncr2.deped.gov.ph 4 isparta.gov.tr 4 gumushane.gov.tr 4 denizli.gov.tr 4 casur.gov.co 4 balikesirozelidare.gov.tr 4 antalyasm.gov.tr 3 zonguldakdef.gov.tr 3 vks.gov.vn 3 ubak.gov.tr 3 tuik.gov.tr 3 r4a-1.deped.gov.ph 3 jzb.moe.gov.sa 3 ibb.gov.tr 3 estg.moe.gov.sa 3 eskisehirozelidare.gov.tr 3 dtm.gov.tr 3 adalet.gov.tr 3 abgs.gov.tr 2 trabzonnumune.gov.tr 2 tpao.gov.tr 2 thainguyen.gov.vn 2 tedas.gov.tr 2 tcmb.gov.tr 2 tarimnet.gov.tr 2 state.gov 2 sgk.gov 2 sayistay.gov.tr 2 saomanuel.sp.gov.br 2 r7-2.deped.gov.ph 2 petrol.tpao.gov.tr 2 osmaniyeailedanisma.gov.tr 2 nnptnt.daklak.gov.vn 2 nevsehirdefterdarligi.gov.tr 2 nevsehir.gov.tr 2 ncr1.deped.gov.ph 2 mg.moe.gov.sa 2 meteor.gov.tr 2 meteo.gov.mk 2 meb.gov.tr 2 malatya.gov.tr 2 koski.gov.tr 2 kosgeb.gov.tr 2 kirikkaleilozelidare.gov 2 kep.gov.gr 2 kayseridis.gov.tr 2 kayseri-meb.gov.tr 2 karamansm.gov.tr 2 jpd.gov.lv 2 istanbul.mfa.gov.il 2 iski.gov.tr 2 health.wa.gov. 2 hazine.gov.tr 2 halton.gov.uk 2 gsim.gov.tr 2 giresunsaglik.gov.tr 2 giresun.gov.tr 2 fsco.gov.on.ca 2 fbi.gov 2 euas.gov.tr 2 etimaden.gov.tr 2 erzurumozelidare.gov.tr 2 ego.gov.tr 2 edu.madeira.gov.pt 2 doj.ca.gov 2 dmo.gov.tr 2 diyanet.gov.tr 2 denizlidh.gov.tr 2 cdcr.ca.gov 2 byegm.gov.tr 2 bybs.gov.tr 2 bilecikdh.gov.tr 2 banbridge.gov.uk 2 asrb.moe.gov.sa 2 artvinozelidare.gov.tr 2 artvinkhb.gov.tr 2 ardahandh.gov.tr 2 antalya.gov.tr.tr.tr 2 ankaracocuk.gov.tr 2 ankara-bel.gov.tr 2 angkasa.gov.my 2 afyonkarahisar.gov.tr 2 act.gov.au 1 wcb.gov.ns.ca 1 vargemgrandepta.sp.gov.br 1 usarec.gov 1 tunja.gov.co 1 tubitak.gov.tr 1 te.vte.gov.lb 1 southtyneside.gov.uk 1 southsomerset.gov.uk 1 seduc.go.gov.br 1 sec.gov 1 saocarlos.sp.gov.br 1 sanliurfaozelidare.gov.tr 1 sanjuan.gov.ar 1 redencao.pa.gov.br 1 r9.deped.gov.ph 1 r11.deped.gov.ph 1 qsmg.moe.gov.sa 1 ptc.gov.ye 1 psa.gov.ph 1 policiacientifica.sp.gov.br 1 plymouth.gov.uk 1 ouropreto.mg.gov.br 1 mto.gov.on.ca 1 mkek.gov.tr 1 mirempet.gov.ao 1 mgs.gov.on.ca 1 mgm.gov.tr 1 memphistn.gov 1 mbs.gov.on.ca 1 masfamu.gov.ao 1 mail.gov.nl.ca 1 leicester.gov.uk 1 la.gov 1 kirklees.gov.uk 1 kent.gov.uk 1 jzg.moe.gov.sa 1 jus.gov.on.ca 1 jatai.go.gov.br 1 jaguaribe.ce.gov.br 1 inder.gov.co 1 highways.gov.sk.ca 1 gems9.gov.bc.ca 1 gems2.gov.bc.ca 1 finance.gov.sr 1 finance.gov.sk.ca 1 faan.gov.ng 1 etec.sp.gov.br 1 ene.gov.on.ca 1 educacao.sp.gov.br 1 educacao.mt.gov.br 1 educ.somerset.gov.uk 1 edu.lagosstate.gov.ng 1 ebserh.gov.br 1 dolma.gov.np 1 dl.gov.cn 1 dh.gsi.gov.uk 1 dgs.ca.gov 1 dfg.ca.gov 1 defra.gsi.gov.uk 1 curionopolis.pa.gov.br 1 css.gov.on.ca 1 crt01.gov.br 1 cefospe.pe.gov.br 1 cdph.ca.gov 1 cbm.ba.gov.br 1 calepa.ca.gov 1 bury.gov.uk 1 botas.gov.tr 1 aphis.usda.gov 1 angiang.gov.vn
Then, I used the good old tool "pipal" created by DigiNinga to generate some statistics about the passwords' strength. Pipal[2] is an old tool but it's doing a great job. Here are the basic Results
Total entries = 2711303 Total unique entries = 1547231 Top 10 passwords galatasaray = 33943 (1.25%) istanbul = 27191 (1.0%) fenerbahce = 26108 (0.96%) 123456 = 19312 (0.71%) 123456789 = 13660 (0.5%) besiktas = 13614 (0.5%) ankara = 13551 (0.5%) yasemin = 7328 (0.27%) antalya = 6030 (0.22%) trabzon = 5705 (0.21%) Top 10 base words istanbul = 52725 (1.94%) galatasaray = 47861 (1.77%) fenerbahce = 37905 (1.4%) ankara = 32097 (1.18%) besiktas = 23710 (0.87%) trabzon = 14174 (0.52%) antalya = 13206 (0.49%) yasemin = 12977 (0.48%) malatya = 12135 (0.45%) sakarya = 10643 (0.39%) Password length (length ordered) 1 = 452 (0.02%) 2 = 318 (0.01%) 3 = 2890 (0.11%) 4 = 9331 (0.34%) 5 = 23670 (0.87%) 6 = 312288 (11.52%) 7 = 401317 (14.8%) 8 = 849978 (31.35%) 9 = 380064 (14.02%) 10 = 313613 (11.57%) 11 = 173130 (6.39%) 12 = 100220 (3.7%) 13 = 44323 (1.63%) 14 = 31227 (1.15%) 15 = 31763 (1.17%) 16 = 12971 (0.48%) 17 = 5404 (0.2%) 18 = 5632 (0.21%) 19 = 2393 (0.09%) 20 = 2034 (0.08%) 21 = 1007 (0.04%) 22 = 1255 (0.05%) 23 = 852 (0.03%) 24 = 959 (0.04%) 25 = 489 (0.02%) 26 = 310 (0.01%) 27 = 225 (0.01%) 28 = 203 (0.01%) 29 = 177 (0.01%) 30 = 183 (0.01%) 31 = 70 (0.0%) 32 = 1909 (0.07%) 33 = 96 (0.0%) 34 = 42 (0.0%) 35 = 24 (0.0%) 36 = 32 (0.0%) 37 = 18 (0.0%) 38 = 66 (0.0%) 39 = 22 (0.0%) 40 = 264 (0.01%) 41 = 5 (0.0%) 42 = 3 (0.0%) 43 = 4 (0.0%) 44 = 6 (0.0%) 45 = 4 (0.0%) 46 = 1 (0.0%) 47 = 1 (0.0%) 48 = 2 (0.0%) 50 = 15 (0.0%) 51 = 1 (0.0%) 52 = 3 (0.0%) 53 = 5 (0.0%) 54 = 2 (0.0%) 60 = 2 (0.0%) 65 = 4 (0.0%) 68 = 1 (0.0%) 69 = 1 (0.0%) 70 = 1 (0.0%) 80 = 1 (0.0%) 81 = 3 (0.0%) 83 = 1 (0.0%) 85 = 3 (0.0%) 86 = 6 (0.0%) 87 = 1 (0.0%) 89 = 2 (0.0%) 90 = 4 (0.0%) Password length (count ordered) 8 = 849978 (31.35%) 7 = 401317 (14.8%) 9 = 380064 (14.02%) 10 = 313613 (11.57%) 6 = 312288 (11.52%) 11 = 173130 (6.39%) 12 = 100220 (3.7%) 13 = 44323 (1.63%) 15 = 31763 (1.17%) 14 = 31227 (1.15%) 5 = 23670 (0.87%) 16 = 12971 (0.48%) 4 = 9331 (0.34%) 18 = 5632 (0.21%) 17 = 5404 (0.2%) 3 = 2890 (0.11%) 19 = 2393 (0.09%) 20 = 2034 (0.08%) 32 = 1909 (0.07%) 22 = 1255 (0.05%) 21 = 1007 (0.04%) 24 = 959 (0.04%) 23 = 852 (0.03%) 25 = 489 (0.02%) 1 = 452 (0.02%) 2 = 318 (0.01%) 26 = 310 (0.01%) 40 = 264 (0.01%) 27 = 225 (0.01%) 28 = 203 (0.01%) 30 = 183 (0.01%) 29 = 177 (0.01%) 33 = 96 (0.0%) 31 = 70 (0.0%) 38 = 66 (0.0%) 34 = 42 (0.0%) 36 = 32 (0.0%) 35 = 24 (0.0%) 39 = 22 (0.0%) 37 = 18 (0.0%) 50 = 15 (0.0%) 44 = 6 (0.0%) 86 = 6 (0.0%) 41 = 5 (0.0%) 53 = 5 (0.0%) 43 = 4 (0.0%) 45 = 4 (0.0%) 65 = 4 (0.0%) 90 = 4 (0.0%) 42 = 3 (0.0%) 52 = 3 (0.0%) 81 = 3 (0.0%) 85 = 3 (0.0%) 48 = 2 (0.0%) 54 = 2 (0.0%) 60 = 2 (0.0%) 89 = 2 (0.0%) 46 = 1 (0.0%) 47 = 1 (0.0%) 51 = 1 (0.0%) 68 = 1 (0.0%) 69 = 1 (0.0%) 70 = 1 (0.0%) 80 = 1 (0.0%) 83 = 1 (0.0%) 87 = 1 (0.0%) | | | | | | | | || || |||| |||| ||||| ||||| |||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| 000000000011111111112222222222333333333344444444445555555555666666666677 012345678901234567890123456789012345678901234567890123456789012345678901 One to six characters = 348949 (12.87%) One to eight characters = 1600244 (59.02%) More than eight characters = 1111059 (40.98%) Only lowercase alpha = 964588 (35.58%) Only uppercase alpha = 15068 (0.56%) Only alpha = 979656 (36.13%) Only numeric = 367723 (13.56%) First capital last symbol = 33154 (1.22%) First capital last number = 149291 (5.51%) Single digit on the end = 199328 (7.35%) Two digits on the end = 363743 (13.42%) Three digits on the end = 158454 (5.84%) Last number 0 = 137616 (5.08%) 1 = 247000 (9.11%) 2 = 133639 (4.93%) 3 = 176774 (6.52%) 4 = 121218 (4.47%) 5 = 114059 (4.21%) 6 = 129914 (4.79%) 7 = 111782 (4.12%) 8 = 105108 (3.88%) 9 = 108479 (4.0%) | | | | | | | | | | |||| | |||||||| | |||||||||| |||||||||| |||||||||| |||||||||| |||||||||| |||||||||| |||||||||| 0123456789 Last digit 1 = 247000 (9.11%) 3 = 176774 (6.52%) 0 = 137616 (5.08%) 2 = 133639 (4.93%) 6 = 129914 (4.79%) 4 = 121218 (4.47%) 5 = 114059 (4.21%) 7 = 111782 (4.12%) 9 = 108479 (4.0%) 8 = 105108 (3.88%) Last 2 digits (Top 10) 23 = 79010 (2.91%) 12 = 40311 (1.49%) 56 = 34572 (1.28%) 11 = 31147 (1.15%) 00 = 30333 (1.12%) 89 = 29147 (1.08%) 01 = 27355 (1.01%) 34 = 26567 (0.98%) 07 = 24614 (0.91%) 10 = 23597 (0.87%) Last 3 digits (Top 10) 123 = 65452 (2.41%) 456 = 27030 (1.0%) 789 = 18101 (0.67%) 234 = 11293 (0.42%) 000 = 10709 (0.39%) 345 = 8833 (0.33%) 321 = 8071 (0.3%) 007 = 6489 (0.24%) 111 = 6127 (0.23%) 907 = 5942 (0.22%) Last 4 digits (Top 10) 3456 = 24279 (0.9%) 6789 = 15731 (0.58%) 1234 = 10306 (0.38%) 2345 = 8016 (0.3%) 1907 = 5648 (0.21%) 1905 = 5373 (0.2%) 1903 = 4359 (0.16%) 4321 = 3835 (0.14%) 1987 = 3833 (0.14%) 2000 = 3696 (0.14%) Last 5 digits (Top 10) 23456 = 24016 (0.89%) 56789 = 15559 (0.57%) 12345 = 7812 (0.29%) 45678 = 3400 (0.13%) 54321 = 3215 (0.12%) 23123 = 2993 (0.11%) 34567 = 2841 (0.1%) 11111 = 2441 (0.09%) 00000 = 2178 (0.08%) 67890 = 2073 (0.08%) Character sets loweralphanum: 1017832 (37.54%) loweralpha: 964588 (35.58%) numeric: 367723 (13.56%) mixedalphanum: 177478 (6.55%) mixedalpha: 38905 (1.43%) mixedalphaspecialnum: 32426 (1.2%) loweralphaspecialnum: 29438 (1.09%) upperalphanum: 28480 (1.05%) loweralphaspecial: 18937 (0.7%) upperalpha: 15068 (0.56%) mixedalphaspecial: 8315 (0.31%) specialnum: 5449 (0.2%) upperalphaspecialnum: 1824 (0.07%) upperalphaspecial: 596 (0.02%) special: 99 (0.0%) Character set ordering allstring: 1018561 (37.57%) stringdigit: 907054 (33.45%) alldigit: 367723 (13.56%) othermask: 160397 (5.92%) digitstring: 101157 (3.73%) stringdigitstring: 80481 (2.97%) digitstringdigit: 36441 (1.34%) stringspecialdigit: 14594 (0.54%) stringspecial: 12641 (0.47%) stringspecialstring: 10952 (0.4%) specialstring: 671 (0.02%) specialstringspecial: 532 (0.02%) allspecial: 99 (0.0%)
These statistics must be read carefully because there is no way to verify their accuracy. Many times, such files are based on very old leaks and probably most of the passwords are not valid anymore (or the account).
[1] https://www.darkreading.com/threat-intelligence/researchers-explore-hacking-virustotal-to-find-stolen-credentials
[2] https://github.com/digininja/pipal
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Comments