Security News > 2022 > January > VirusTotal Hacking: Finding stolen credentials hosted on VirusTotal
VirusTotal, the popular online service for analyzing suspicious files, URLs and IP addresses, can be used to collect credentials stolen by malware, researchers at SafeBreach have found.
With a €600 VirusTotal license, they have managed to collect more than 1,000,000 credentials just by executing simple searches with a few tools.
These files can end up hosted on VirusTotal due to hackers using VirusTotal to promote selling victims' data or due to attackers uploading them by mistake, Tomer Bar, Director of Security Research at SafeBreach, told Help Net Security.
They've also connected some of these files to specific sellers of stolen credentials on a variety of hacking forums and Telegram groups, and have shown that in some cases it may be easy for criminals to discover credentials for accessing malware's C2 FTP server and use them to "Collect" stolen credentials.
"A criminal who uses this method can gather an almost unlimited number of credentials and other user-sensitive data with very little effort in a short period of time using an infection-free approach. We called it the perfect cyber crime, not just due to the fact that there is no risk and the effort is very low, but also due to the inability of victims to protect themselves from this type of activity. After victims are hacked by the original hacker, most have little visibility into what sensitive information is uploaded and stored in VirusTotal and other forums."
The researchers urged Google - the owner of VirusTotal via its subsidiary Chronicle - to periodically search and remove files with sensitive user data and ban API keys that upload those files, and to add an algorithm that disallows uploads of files that contain sensitive cleartext data or encrypted files with the decryption password attached.
News URL
https://www.helpnetsecurity.com/2022/01/18/virustotal-stolen-credentials/