December 26, 2012

Not long ago, PCs compromised by malware were put to a limited number of fraudulent uses, including spam, click fraud and denial-of-service attacks. These days, computer crooks are extracting and selling a much broader array of data stolen from hacked systems, including passwords and associated email credentials tied to a variety of online retailers.

This shop sells credentials to active accounts at dozens of leading e-retailers.

This shop sells credentials to active accounts at dozens of leading e-retailers.

At the forefront of this trend are the botnet creation kits like Citadel, ZeuS and SpyEye, which make it simple for miscreants to assemble collections of compromised machines. By default, most bot malware will extract any passwords stored in the victim PC’s browser, and will intercept and record any credentials submitted in Web forms, such as when a user enters his credit card number, address, etc. at an online retail shop.

Some of the most valuable data extracted from hacked PCs is bank login information. But non-financial logins also have value, particularly for shady online shops that collect and resell this information.

Logins for everything from Amazon.com to Walmart.com often are resold — either in bulk, or separately by retailer name — on underground crime forums. A miscreant who operates a Citadel botnet of respectable size (a few thousand bots, e.g.) can expect to quickly accumulate huge volumes of “logs,” records of user credentials and browsing history from victim PCs. Without even looking that hard, I found several individuals on Underweb forums selling bulk access to their botnet logs; for example, one Andromeda bot user was selling access to 6 gigabytes of bot logs for a flat rate of $150.

The "Freshotools" service sells a variety of hacked e-retailer credentials.

The “Freshotools” service sells a variety of hacked e-retailer credentials.

Increasingly, miscreants are setting up their own storefronts to sell stolen credentials for an entire shopping mall of online retail establishments. Freshtools, for example, sells purloined usernames and passwords for working accounts at overstock.com, dell.com, walmart.com, all for $2 each. The site also sells fedex.com and ups.com accounts for $5 a pop, no doubt to enable fraudulent reshipping schemes. Accounts that come with credentials to the email addresses tied to each site can fetch a dollar or two more.

Another store widely advertised in the Underweb (see screenshot above) pimps credentials for a far broader array of retailers, most of which can be had for $2, including amazon.com, apple.com, autotrader.co.uk, bestbuy.com, bloomgingdales.com, bol.com, cdw.com, drugstore.com, ebay.co.uk, ebay.com, facebook.com, gamestop.com, gumtree.com, kohls.com, logmein.com, lowes.com, macys.com, mylikes.com, newegg.com, next.co.uk.com, okpay.com, paypal.com, payza.com, runescape.com, sephora.com, skype.com, target.com, toysrus.com, ukash.com, verizon.com, walmart.com, xoom.com and zappos.com. Accounts at these retailers that have credit cards or bank accounts tied to them command higher prices.

The "Pentagon" store sells a range of merchant site credentials, priced at $1 to $5.

The “Pentagon” store sells a range of merchant site credentials, priced at $1 to $5.

These shops are just one example of a concept that I have been trying to get across to readers about the many, many uses of a hacked PC. One of the ideas I attempted to communicate with that hacked PC graphic is that nearly every aspect of a hacked computer and a user’s online life can be and has been commoditized. If it has value and can be resold, you can be sure there is a service or product offered in the cybercriminal underground to monetize it. Once again, I haven’t yet found an exception to this rule.


11 thoughts on “Exploring the Market for Stolen Passwords

  1. brothers in arms

    its a simple game of supply and demand .

    NO demand NO supply .

    people sell water .why , cos there is a demand for it .

    Pinging is currently not allowed. ))

  2. brothers in arms

    Money, money, money
    Always sunny
    In the rich man’s world
    Aha-ahaaa
    All the things I could do
    If I had a little money
    It’s a rich man’s world

  3. AlphaCentauri

    What is the value of buying an account that is not tied to a credit card? Do they just use the identity information to create accounts, or try to use the username/PW combination at other sites? Or are these accounts that have not been checked for credit card information yet, like buying unshucked oysters hoping for pearls?

    1. Godaigo

      In many of the accounts you could then add a new credit card (also stolen) and then order products. Alternatively, as shown by the actions of Cosmo the God, you could use the information stored in the account to increase the effectiveness of social engineering attacks, etc.

    2. JCitizen

      I should think many such accounts ARE tied to credit cards. The number would be obfuscated, but if you are using it to purchase goods anyway, its all golden. However, many card companies are now holding up purchases that show a new shipping address. So this will become a problem for thieves trying this avenue.

  4. george

    For me, what I don’t understand is the column Price (live/die), with 2$ live and 0.01$ “die”. Does that mean that even inactive (cancelled) accounts have some (little) value for the underworld ?

  5. meh

    Actually, they don’t have any value. These are third world kiddies with nothing else of value to offer. It’s lamerville.

  6. TLKst21

    These botnets are making the rounds again. I got hit by a variant of Reveton (N5) last week (despite having AVG & McAfee) and it wiped me out. It was the FBI MoneyPack ransomware/scareware. It hijacked my computer and webcam, even though my firewall was set to disable my webcam. The scammers let me know they were watching me & demanded $300. It was very difficult to get rid of. Had to disable internet to access my desktop, do a system restore, and after days of running the hours-long “I have a virus” scans from MSFT security essentials, malware bytes & some anti-spyware from major geeks in regular & safe modes, think (hope) I finally got it all. Flipping nightmare! Hoping these criminals don’t have enough current info to steal from me. Bad enough that these jerks made me late turning in my term paper for my EMBA strategy course.

    1. JCitizen

      Sounds like you got too many AVs on your machine – besides the fact that they aren’t the best ones anyway.

  7. RWS

    Congratulations, and thanks for all your work in keeping us informed about security, Brian. I look forward to each article.

    Regards,

  8. JCitizen

    Just another good illustration why we should be using password managers with encryption. Of course that is only one rivet in the blended defense armor.

    Thanks for the article Brian!

Comments are closed.