Russian cyber crooks make off with 1.2 billion Internet logins

The small operation, located in south central Russia, includes men in their 20s who know one another online and offline.

“The Russian hackers have been able to capture credentials on a mass scale using botnets — networks of zombie computers that have been infected with a computer virus — to do their bidding,” the New York Times reports. “Any time an infected user visits a website, criminals command the botnet to test that website to see if it is vulnerable to a well-known hacking technique known as an SQL injection, in which a hacker enters commands that cause a database to produce its contents. If the website proves vulnerable, criminals flag the site and return later to extract the full contents of the database.”

It’s unclear how the victims’ computers became infected with the botnet to begin with.

The suspects have not sold many of the records yet. They appear to be using the stolen information to spam social networks like Twitter on behalf of other groups, collecting fees in return.

“There is a division of labor within the gang,” said Alex Holden, founder of Hold Security, which discovered the plunder. “Some are writing the programming, some are stealing the data. It’s like you would imagine a small company; everyone is trying to make a living.”

The group’s computer servers are thought to be in Russia.

The hackers began as amateur spammers in 2011, buying stolen databases of personal information on the black market. More recently, they might have partnered with another entity that might be sharing hacking techniques and tools.

The theft is believed to be the largest known collection of stolen Internet credentials. The goods were gathered from 420,000 websites, including major corporations, and small online outfits.

By July, the criminals held 4.5 billion records — each a user name and password — though many overlapped. Hold Security determined that 1.2 billion of those records were unique. Because people tend to use multiple emails, Hold filtered further and found that the criminals’ database included about 542 million unique email addresses.

Most of these sites are still vulnerable.