New fraudster-friendly content management systems are making it more likely than ever that crooks who manage botnets and other large groupings of hacked PCs will extract and sell all credentials of value that can be harvested from the compromised machines.
I’ve often observed that botmasters routinely fail to fully eat what they kill. That is, they tend to chronically undervalue the computers at their disposal, and instead focus on extracting specific resources from hacked PCs, such as using them as spam relays or harvesting online banking credentials. Meanwhile, other assets on the hacked PC that have street value go unused and “wasted” from the fraudster’s perspective.
More often, when miscreants do seek to extract and monetize all of the account credentials from their hacked PCs, they do so by selling access to their raw botnet “logs” — huge text files that document the notable daily activities of the botted systems. To borrow from another food metaphor, this is the digital equivalent of small farms selling their fruits and vegetables as “pick-your-own;” such commerce produces some added revenue without requiring much more work on the seller’s part.
Recently, I’ve been spotting more online fraud shops set up using what appear to be pre-set templates that can be used to sell all manner of credentials from hacked PCs. These shops all sell credit and debit card information, of course, but also lists of emails culled from victim computers, hacked VPN and RDP credentials, Cpanel installations, PHP mailers, FTP access, SSH logins, and online gambling accounts. Some of the panels are even reselling hacked credentials at popular porn sites. Goods can be purchased via virtual currencies such as Perfect Money and bitcoin.
The shop shown below — blackhatstore[dot]ru — borrows the trademarked image of the Black Hat security conference franchise. It’s sometimes said that there’s no such thing as bad press, but I’m pretty sure the folks at Black Hat don’t want their brand advertised or associated in this way (by the way, I’ll be speaking at this year’s Black Hat in Las Vegas next week). I alerted the Black Hat organizers to this fraudulent site, so I wouldn’t expect it to remain live much longer.
I have no idea what the exact figures are, but I’m confident that a huge percentage of malware in circulation today has the ability to steal all credentials from hacked PCs. Finding and removing these infections is challenging enough, but many victims also fail to take stock of the information that was potentially exposed as a result of the compromise. And who can blame users for not knowing what to do? If your antivirus program detects malware, how much information does it give you about the extent or lifetime of the infection? If it finds and eradicates a deeply-rooted infection, does it remind you that it might be a good idea to change your passwords?
Understandably, the average user is probably more interested in merely having a malware-free computer than he is contemplating whether he needs to then change all of his passwords. It is this very argument that separates much of the security industry into two camps: Those who believe that anti-malware tools can sufficiently scrub a compromised PC so that it can be safely used again (hopefully by the victimized user to change their important passwords), and those who hold that the only way to ensure the integrity of a system is to back up its data, wipe the drive, and re-install the operating system.
I hold with the latter camp, which is why I keep my data on a separate drive from my operating system installation, and use disc imaging tools like Macrium Reflect and Acronis True Image to make regular backups of both the OS and the data drives. That way, if the computer does suffer a compromise, I can save hours of time and headache by restoring the operating system drive with a known-good backup.