Google Can Do The Hacking For You

SafeBreach researchers used Google’s own VirusTotal to find and retrieve more than 1 million credentials stolen by malware.

VirusTotal is a free service offered by Google that checks suspicious files using dozens of antivirus engines.

Tomar Bar is SafeBreach’s director of security research. In a blog, he explains how the researchers were able to obtain credentials using VirusTotal with other malware services and hacker forums.

“After obtaining a VirusTotal license, we began by classifying the exfiltrated file names used by common malicious info stealers,” he said. “Next, we used different VirusTotal APIs, including search, VT Graph and Retrohunt, to search for those file names. The results were huge.”

In just a few days, SafeBreach researchers collected more than 1 million credentials, Bar said. They also discovered a market that publishes a small amount of victims’ data for free as a teaser, with an additional site and Telegram channel that offers larger amounts of victims’ exfiltrated data for sale.

Nasser Fattah is Shared Assessments‘ North America steering committee chair.

“I know that VirtusTotal does screening before granting access to files and data hosted by service,” he said. “But due to the plethora of available sensitive data, inadvertently or advertently, VirusTotal needs to look at ways to either permanently delete, deidentify or minimally protect credentials and other sensitive information it retains. I know this is a challenge because VirusTotal is designed to be a low-touch service and the need to keep files intact for forensics purposes.”

Identity theft and account takeover could result from the theft of those credentials, Fattah said. Both are on the rise and are designed to defraud businesses and consumers.

“Any site that has a trove of sensitive data and a one-stop shop is an attractive target,” he said.