‘Pony’ Botnet Gallops Off With 2 Million Passwords

In what appears to be a worldwide attack, cybercriminals have successfully stolen 2 million account passwords with a botnet known as “Pony.” How’d they do it? Using a system of compromised computers, hackers were able to capture login credentials for a variety of accounts from social networking sites such as Facebook, Twitter, and LinkedIn, email providers Google and Yahoo, and payroll provider ADP. The name “Pony” may sound cute, but these professional cyber thieves have made it clear that they aren’t horsing around.

The majority of passwords stolen in this well-orchestrated attack were from Facebook with 318,121 (57% of the stolen passwords), followed by Google with 70,532 (13%), Yahoo with 59,549 (11%), and Twitter with 21,708 (4%). LinkedIn passwords accounted for about 1.5% of all stolen credentials, and ADP about 1.4% of the total.

Cybercriminals target social networks not because they want to see your photos and private messages, but because they view them as a means to an end. With your password for Facebook or Twitter in hand, a cybercriminal can now distribute messages to your entire network containing compromised links—further disseminating a piece of malware and increasing the strength of a botnet. A botnet is a network of computers that a cybercriminal has infected with malicious software, allowing the hacker to control these machines from a remote location. Computers and mobile devices can be infected with a botnet via a link, attachment, or corrupted download. Botnets can cause machines to slow down, as the system resources and bandwidth are devoted to carrying out the cybercriminal’s requested tasks (such as sending out spam) rather than your own. They can also put your security at risk, as your Internet activity may be monitored.

In the case of the “Pony” botnet, it’s likely that the hacker captured the login credentials on these sites through a method known as “keystroke logging.” Keystroke logging software works for the most part just as it sounds—tracking or logging the keys struck on your keyboard.

Regardless of how the personal data was siphoned off, one thing is clear: users need to create stronger passwords. In analyzing the hacked passwords, it was found that the top three passwords were sequential numeric strings “123456,” “123456789,” and “1234.” These are nearly identical to the top three passwords found from the Adobe breach that occurred earlier this quarter.

It was also discovered that of the 2 million passwords stolen by the “Pony” botnet, very few were using multiple types of characters to build up password strength. The majority of users had passwords between six and 13 figures long, which isn’t the worst case-case scenario, however, most made use of only two types of characters. The use of uppercase letters, lowercase letters, numbers, and special characters is highly recommended to optimize account security.

ADP, Facebook, Twitter, LinkedIn and Yahoo have all acted quickly to contact their customers and change the login details for those who were victims in this cybercrime. While it’s great that these companies were quick to respond and their actions will certainly help restore security for people with compromised accounts—it’s highly likely that the “Pony” botnet is still running wild.

One difficulty in eradicating this particular botnet will be tracking down all of the infected computers. Because cybercriminals who set up the botnet did so using a proxy server (an intermediary system that can work to mask the true origin of activity), it appears as though the bulk of infected machines are in the Netherlands. Really though, they’re spread throughout the world.

How can you make sure you’re not the next victim of this unapologetic, globe-spanning botnet? Follow the steps below to keep your identity and passwords secure:

  • Create strong passwords and change them regularly. Remember, the longer and more varied your password, the stronger it will be. Don’t be afraid to incorporate numbers, upper and lowercase letters, and special characters into your secret codes. It’s also recommended that you change your passwords 2-3 times a year. If this sounds like a lot to keep track of, consider using a password management tool like the one available with McAfee LiveSafe™ service.
  • Stay away from public computers. Avoid using computers stationed in coffee shops, libraries, or elsewhere, as these machines may have already been compromised with keystroke logging software or other types of malware. If you must use a public computer—try to avoid logging in to any websites or personal accounts.
  • Be extra cautious when opening email attachments. This is a big one! To avoid opening the gates for malware, do not open any strange looking attachments or click on links from suspicious or unknown senders. Even if the attachment or link is received from a friend, make sure that the email or social network post doesn’t look questionable before you click it. It’s always possible that this person may have already had their accounts compromised.
  • Install comprehensive security on all of your devices. With the proper protection in place, you won’t have to worry whether or not your machine has been infected by the latest cybercriminal scheme. Install McAfee LiveSafe on your mobile device, tablet, PC and Mac, and keep your personal data safe from scammers.


Gary Davis

Introducing McAfee+

Identity theft protection and privacy for your digital life

FacebookLinkedInTwitterEmailCopy Link

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.


More from Security News

Back to top