Sophisticated 'password attacks' continue, Citrix latest victim

Massive password repositories are enabling large-scale attacks
Massive password repositories are enabling large-scale attacks

Hackers used login information to launch a “sophisticated password attack” against Citrix's GoToMyPC user accounts, according to a company blog post

The remote access software company reset passwords of its users, in the latest example of a web company reacting to unauthorised attackers accessing its user accounts.

The attack method appears to be a similar approach to the recent large-scale effort used to access GitHub accounts last week. Attackers used credentials attained through stolen password repositories to gain access to user accounts of the web-based code hosting platform. The GitHub attackers used “lists of email addresses and passwords from other online services that have been compromised in the past,” the company said.

There has been a rise in attempted logins across many web platforms and sites after the discovery of 117 million LinkedIn, 360 million MySpace, and 65 million Tumblr email credentials for sale on the Dark Web last month. The credentials were obtained from breaches that occurred in 2012 and 2013. Earlier this month, a hacker dubbed “Peace” claimed responsibility for the LinkedIn, Tumblr, and MySpace data dumps and released an additional database containing 171 million user accounts associated with the Russian social networking site VK.com.

While some password databases originate from previous breaches, other password databases are gained from compromised personal and organisational endpoints, according to Israel Barak, CISO and head of incident response Cybereason. 

Botnets are adapting their operations to use their control over millions of endpoints – personal and corporate ones, sometimes controlling them with just a commodity malware that is considered 'low risk', to create better monetisation models, and specifically as it relates to credential theft, they extract user credentials stored on these endpoints (ie, 'saved passwords') and aggregate them into password databases that can be sold and monetised on in the marketplace,” Barak wrote in an email to SCMagazine.com.

The use of bots in launching these attacks has plagued the private and public sectors. A recent report by Distil Networks found that only 12 percent of websites could detect simple bots, while less than one percent of sites were able to detect most advanced bots. Consumer, government and financial services were least capable of detecting bots.

The posted login credentials have led to concerns that web services now face an increase in risk of unauthorised logins, as many web users continue to reuse login information across multiple platforms. In a move similar to Citrix, Reddit reacted to the discovery of the published login credentials by a forced password reset last month. “Though Reddit itself has not been exploited, even the best security in the world won't work when users are reusing passwords between sites,” the company stated.