Hackers Explore Hacking VirusTotal to Find Stolen Credentials

A licensed user on VirusTotal can query the service's dataset with a combination of queries for file type, file name, submitted data, country, and file content, among others. The SafeBreach team created the idea of "VirusTotal hacking" based on the method of "Google hacking," which criminals use to look for vulnerable websites, Internet of Things devices, Web shells, and sensitive data leaks.

The "Perfect" Cybercrime

While there are plenty of info stealers to choose from, the researchers chose five commonly used ones because of their greater odds of finding files exfiltrated by them in the VirusTotal dataset.

The SafeBreach team learned and improved its queries as it explored VirusTotal, Bar says. For example, they found some attackers compress victims' data in a large archive file. VirusTotal provides a way to search for archive files containing fixed hard-coded file names, so when they found a single file, they also found stolen data belonging to hundreds of victims, he explains.

"A criminal who uses this method can gather an almost unlimited number of credentials and other user-sensitive data with very little effort in a short period of time using an infection-free approach," researchers wrote in their blog post. "We called it the perfect cyber crime, not just due to the fact that there is no risk and the effort is very low, but also due to the inability of victims to protect themselves from this type of activity."

The researchers reached out to Google with their findings and requested the files containing personal data from VirusTotal. They also advised periodically searching for, and removing, files with sensitive user data and banning API keys that upload those files. 

SafeBreach also advised Google to add an algorithm that disallows uploading of files with sensitive data that contains plaintext, or encrypted files with the decryption password attached, in text or an image.