"Researchers Explore Hacking VirusTotal to Find Stolen Credentials"

The SafeBreach research team discovered a way to collect vast amounts of stolen user credentials through the execution of searches on the online service used to analyze suspicious files and URLs called VirusTotal. The team was able to collect over a million credentials with a VirusTotal license and a few tools. They wanted to identify data that could be gathered by a criminal using a VirusTotal license. A licensed VirusTotal user can query the service's dataset with a combination of queries for file type, file name, submitted data, country, file content, and more. The team introduced the idea of VirusTotal hacking, which is based on the method of Google hacking where criminals look for vulnerable websites, Internet of Things (IoT) devices, web shells, and sensitive data leaks. Many who steal information collect credentials from various forums, mail accounts, browsers, and other sources, and then write them to a fixed hard-coded file name such as "all_credentials.txt." The information stealers will then exfiltrate this file from the victim's device and send it to a command-and-control (C2) server. With this method, the team took VirusTotal tools and Application Programming Interfaces (APIs) such as search, VirusTotal Graph, and Retrohunt, and used them to find files containing stolen data. They conducted their research using known malware, including RedLine Stealer, Azorult, Raccoon Stealer, and Hawkeye, along with known forums such as DrDark and Snatch_Cloud to steal sensitive data, finding that their method works at scale. The researchers emphasized that criminals could apply this method to collect a nearly unlimited number of credentials and other user-sensitive data with significantly low effort in a short time using an infection-free approach. They disclosed their findings to Google, which owns VirusTotal, and advised the company to periodically search for and remove files containing sensitive user data. The team also suggested that Google ban API keys that upload those files and implement an algorithm for disallowing uploading files with sensitive data. This article continues to discuss the VirusTotal hacking method and how Google can prevent this technique from being successful. 

Dark Reading reports "Researchers Explore Hacking VirusTotal to Find Stolen Credentials"