Web Fraud 2.0


24
Sep 18

Beware of Hurricane Florence Relief Scams

If you’re thinking of donating money to help victims of Hurricane Florence, please do your research on the charitable entity before giving: A slew of new domains apparently related to Hurricane Florence relief efforts are now accepting donations on behalf of victims without much accountability for how the money will be spent.

For the past two weeks, KrebsOnSecurity has been monitoring dozens of new domain name registrations that include the terms “hurricane” and/or “florence” and some word related to support (e.g., “relief,” “assistance,” etc.). Most of these domains have remained parked or dormant since their creation earlier this month; however, several of them became active only in the past few days, directing visitors to donate money through private PayPal accounts without providing any information about who is running the site or what will be done with donated funds.

The landing page for hurricaneflorencerelieffund-dot-com also is the landing page for at least 4 other Hurricane Florence donation sites that use the same anonymous PayPal address.

Among the earliest of these is hurricaneflorencerelieffund-dot-com, registered anonymously via GoDaddy on Sept. 13, 2018. Donations sent through the site’s PayPal page go to an email address tied to the PayPal account on the site (info@hurricaneflorencerelieffund-dot-com); emails to that address did not elicit a response.

Sometime in the past few days, several other Florence-related domains that were previous parked at GoDaddy now redirect to this domain, including hurricanflorence-dot-org (note the missing “e”); florencedisaster-dot-org; florencefunds-dot-com; and hurricaneflorencedonation-dot-com. All of these domains include the phone number 833-FLO-FUND, which rings to an automated system that ultimately asks the caller to leave a message. There is no information provided about the organization or individual running the sites.

The domain hurricaneflorencedisasterfund-dot-com has a slightly different look and feel, invokes the name of the Red Cross and also includes the 833-FLO-FUND number. Likewise, it accepts PayPal donations tied to the same email address mentioned above. It claims “80% of all donations go directly to FIRST RESPONDERS in North & South Carolina!” although it provides no clear way to verify that claim.

Hurricaneflorencedisasterfund-dot-com is one of several domains anonymously accepting PayPal donations, purportedly on behalf of Hurricane Florence victims.

The domain hurricaneflorencerelief-dot-fund, registered on Sept. 11, also accepts PayPal donations with minimal information about who might benefit from monies given. The site links to Facebook, Twitter and other social network accounts set up with the same name, although none of them appear to have any meaningful content. The email address tied to that PayPal account — hurricaneflorencerelief@gmail.com — did not respond to requests for comment.

The domain theflorencefund-dot-com until recently also accepted PayPal donations and had an associated Twitter account (now deleted), but that domain recently changed its homepage to include the message, “Due to the change in Florence’s path, we’re suspending our efforts.” Continue reading →


20
Apr 18

Is Facebook’s Anti-Abuse System Broken?

Facebook has built some of the most advanced algorithms for tracking users, but when it comes to acting on user abuse reports about Facebook groups and content that clearly violate the company’s “community standards,” the social media giant’s technology appears to be woefully inadequate.

Last week, Facebook deleted almost 120 groups totaling more than 300,000 members. The groups were mostly closed — requiring approval from group administrators before outsiders could view the day-to-day postings of group members.

However, the titles, images and postings available on each group’s front page left little doubt about their true purpose: Selling everything from stolen credit cards, identities and hacked accounts to services that help automate things like spamming, phishing and denial-of-service attacks for hire.

To its credit, Facebook deleted the groups within just a few hours of KrebsOnSecurity sharing via email a spreadsheet detailing each group, which concluded that the average length of time the groups had been active on Facebook was two years. But I suspect that the company took this extraordinary step mainly because I informed them that I intended to write about the proliferation of cybercrime-based groups on Facebook.

That story, Deleted Facebook Cybercrime Groups had 300,000 Members, ended with a statement from Facebook promising to crack down on such activity and instructing users on how to report groups that violate it its community standards.

In short order, some of the groups I reported that were removed re-established themselves within hours of Facebook’s action. I decided instead of contacting Facebook’s public relations arm directly that I would report those resurrected groups and others using Facebook’s stated process. Roughly two days later I received a series replies saying that Facebook had reviewed my reports but that none of the groups were found to have violated its standards. Here’s a snippet from those replies:

Perhaps I should give Facebook the benefit of the doubt: Maybe my multiple reports one after the other triggered some kind of anti-abuse feature that is designed to throttle those who would seek to abuse it to get otherwise legitimate groups taken offline — much in the way that pools of automated bot accounts have been known to abuse Twitter’s reporting system to successfully sideline accounts of specific targets.

Or it could be that I simply didn’t click the proper sequence of buttons when reporting these groups. The closest match I could find in Facebook’s abuse reporting system were, “Doesn’t belong on Facebook,” and “Purchase or sale of drugs, guns or regulated products.” There was/is no option for “selling hacked accounts, credit cards and identities,” or anything of that sort.

In any case, one thing seems clear: Naming and shaming these shady Facebook groups via Twitter seems to work better right now for getting them removed from Facebook than using Facebook’s own formal abuse reporting process. So that’s what I did on Thursday. Here’s an example: Continue reading →


18
Apr 18

A Sobering Look at Fake Online Reviews

In 2016, KrebsOnSecurity exposed a network of phony Web sites and fake online reviews that funneled those seeking help for drug and alcohol addiction toward rehab centers that were secretly affiliated with the Church of Scientology. Not long after the story ran, that network of bogus reviews disappeared from the Web. Over the past few months, however, the same prolific purveyor of these phantom sites and reviews appears to be back at it again, enlisting the help of Internet users and paying people $25-$35 for each fake listing.

Sometime in March 2018, ads began appearing on Craigslist promoting part-time “social media assistant” jobs, in which interested applicants are directed to sign up for positions at seorehabs[dot]com. This site promotes itself as “leaders in addiction recovery consulting,” explaining that assistants can earn a minimum of $25 just for creating individual Google for Business listings tied to a few dozen generic-sounding addiction recovery center names, such as “Integra Addiction Center,” and “First Exit Recovery.”

The listing on Craigslist.com advertising jobs for creating fake online businesses tied to addiction rehabilitation centers.

Applicants who sign up are given detailed instructions on how to step through Google’s anti-abuse process for creating listings, which include receiving a postcard via snail mail from Google that contains a PIN which needs to be entered at Google’s site before a listing can be created.

Assistants are cautioned not to create more than two listings per street address, but otherwise to use any U.S.-based street address and to leave blank the phone number and Web site for the new business listing.

A screen shot from Seorehabs’ instructions for those hired to create rehab center listings.

In my story Scientology Seeks Captive Converts Via Google Maps, Drug Rehab Centers, I showed how a labyrinthine network of fake online reviews that steered Internet searches toward rehab centers funded by Scientology adherents was set up by TopSeek Inc., which bills itself as a collection of “local marketing experts.” According to LinkedIn, TopSeek is owned by John Harvey, an individual (or alias) who lists his address variously as Sacramento, Calif. and Hawaii.

Although the current Web site registration records from registrar giant Godaddy obscure the information for the current owner of seorehabs[dot]com, a historic WHOIS search via DomainTools shows the site was also registered by John Harvey and TopSeek in 2015. Mr. Harvey did not respond to requests for comment. [Full disclosure: DomainTools previously was an advertiser on KrebsOnSecurity].

TopSeek’s Web site says it works with several clients, but most especially Narconon International — an organization that promotes the rather unorthodox theories of Scientology founder L. Ron Hubbard regarding substance abuse treatment and addiction.

As described in Narconon’s Wikipedia entry, Narconon facilities are known not only for attempting to win over new converts to Scientology, but also for treating all substance abuse addictions with a rather bizarre cocktail consisting mainly of vitamins and long hours in extremely hot saunas. Their Wiki entry documents multiple cases of accidental deaths at Narconon facilities, where some addicts reportedly died from overdoses of vitamins or neglect. Continue reading →


11
Apr 18

When Identity Thieves Hack Your Accountant

The Internal Revenue Service has been urging tax preparation firms to step up their cybersecurity efforts this year, warning that identity thieves and hackers increasingly are targeting certified public accountants (CPAs) in a bid to siphon oodles of sensitive personal and financial data on taxpayers. This is the story of a CPA in New Jersey whose compromise by malware led to identity theft and phony tax refund requests filed on behalf of his clients.

Last month, KrebsOnSecurity was alerted by security expert Alex Holden of Hold Security about a malware gang that appears to have focused on CPAs. The crooks in this case were using a Web-based keylogger that recorded every keystroke typed on the target’s machine, and periodically uploaded screenshots of whatever was being displayed on the victim’s computer screen at the time.

If you’ve never seen one of these keyloggers in action, viewing their output can be a bit unnerving. This particular malware is not terribly sophisticated, but nevertheless is quite effective. It not only grabs any data the victim submits into Web-based forms, but also captures any typing — including backspaces and typos as we can see in the screenshot below.

The malware records everything its victims type (including backspaces and typos), and frequently takes snapshots of the victim’s computer screen.

Whoever was running this scheme had all victim information uploaded to a site that was protected from data scraping by search engines, but the site itself did not require any form of authentication to view data harvested from victim PCs. Rather, the stolen information was indexed by victim and ordered by day, meaning anyone who knew the right URL could view each day’s keylogging record as one long image file.

Those records suggest that this particular CPA — “John,” a New Jersey professional whose real name will be left out of this story — likely had his computer compromised sometime in mid-March 2018 (at least, this is as far back as the keylogging records go for John).

It’s also not clear exactly which method the thieves used to get malware on John’s machine. Screenshots for John’s account suggest he routinely ignored messages from Microsoft and other third party Windows programs about the need to apply critical security updates.

Messages like this one — about critical security updates available for QuickBooks — went largely ignored, according to multiple screenshots from John’s computer.

More likely, however, John’s computer was compromised by someone who sent him a booby-trapped email attachment or link. When one considers just how frequently CPAs must need to open Microsoft Office and other files submitted by clients and potential clients via email, it’s not hard to imagine how simple it might be for hackers to target and successfully compromise your average CPA.

The keylogging malware itself appears to have been sold (or perhaps directly deployed) by a cybercriminal who uses the nickname ja_far. This individual markets a $50 keylogger product alongside a malware “crypting” service that guarantees his malware will be undetected by most antivirus products for a given number of days after it is used against a victim.

Ja_far’s sales threads for the keylogger used to steal tax and financial data from hundreds of John’s clients.

It seems likely that ja_far’s keylogger was the source of this data because at one point — early in the morning John’s time — the attacker appears to have accidentally pasted ja_far’s jabber instant messenger address into the victim’s screen instead of his own. In all likelihood, John’s assailant was seeking additional crypting services to ensure the keylogger remained undetected on John’s PC. A couple of minutes later, the intruder downloaded a file to John’s PC from file-sharing site sendspace.com.

The attacker apparently messing around on John’s computer while John was not sitting in front of the keyboard.

What I found remarkable about John’s situation was despite receiving notice after notice that the IRS had rejected many of his clients’ tax returns because those returns had already been filed by fraudsters, for at least two weeks John does not appear to have suspected that his compromised computer was likely the source of said fraud inflicted on his clients (or if he did, he didn’t share this notion with any of his friends or family via email).

Instead, John composed and distributed to his clients a form letter about their rejected returns, and another letter that clients could use to alert the IRS and New Jersey tax authorities of suspected identity fraud. Continue reading →


8
Mar 18

Look-Alike Domains and Visual Confusion

How good are you at telling the difference between domain names you know and trust and impostor or look-alike domains? The answer may depend on how familiar you are with the nuances of internationalized domain names (IDNs), as well as which browser or Web application you’re using.

For example, how does your browser interpret the following domain? I’ll give you a hint: Despite appearances, it is most certainly not the actual domain for software firm CA Technologies (formerly Computer Associates Intl Inc.), which owns the original ca.com domain name:

https://www.са.com/

Go ahead and click on the link above or cut-and-paste it into a browser address bar. If you’re using Google Chrome, Apple’s Safari, or some recent version of Microsoft‘s Internet Explorer or Edge browsers, you should notice that the address converts to “xn--80a7a.com.” This is called “punycode,” and it allows browsers to render domains with non-Latin alphabets like Cyrillic and Ukrainian.

Below is what it looks like in Edge on Windows 10; Google Chrome renders it much the same way. Notice what’s in the address bar (ignore the “fake site” and “Welcome to…” text, which was added as a courtesy by the person who registered this domain):

The domain https://www.са.com/ as rendered by Microsoft Edge on Windows 10. The rest of the text in the image (beginning with “Welcome to a site…”) was added by the person who registered this test domain, not the browser.

IE, Edge, Chrome and Safari all will convert https://www.са.com/ into its punycode output (xn--80a7a.com), in part to warn visitors about any confusion over look-alike domains registered in other languages. But if you load that domain in Mozilla Firefox and look at the address bar, you’ll notice there’s no warning of possible danger ahead. It just looks like it’s loading the real ca.com:

What the fake ca.com domain looks like when loaded in Mozilla Firefox. A browser certificate ordered from Comodo allows it to include the green lock (https://) in the address bar, adding legitimacy to the look-alike domain. The rest of the text in the image (beginning with “Welcome to a site…”) was added by the person who registered this test domain, not the browser. Click to enlarge.

The domain “xn--80a7a.com” pictured in the first screenshot above is punycode for the Ukrainian letters for “s” (which is represented by the character “c” in Russian and Ukrainian), as well as an identical Ukrainian “a”.

It was registered by Alex Holden, founder of Milwaukee, Wis.-based Hold Security Inc. Holden’s been experimenting with how the different browsers handle punycodes in the browser and via email. Holden grew up in what was then the Soviet Union and speaks both Russian and Ukrainian, and he’s been playing with Cyrillic letters to spell English words in domain names.

Letters like A and O look exactly the same and the only difference is their Unicode value. There are more than 136,000 Unicode characters used to represent letters and symbols in 139 modern and historic scripts, so there’s a ton of room for look-alike or malicious/fake domains.

For example, “a” in Latin is the Unicode value “0061” and in Cyrillic is “0430.”  To a human, the graphical representation for both looks the same, but for a computer there is a huge difference. Internationalized domain names (IDNs) allow domain names to be registered in non-Latin letters (RFC 3492), provided the domain is all in the same language; trying to mix two different IDNs in the same name causes the domain registries to reject the registration attempt.

So, in the Cyrillic alphabet (Russian/Ukrainian), we can spell АТТ, УАНОО, ХВОХ, and so on. As you can imagine, the potential opportunity for impersonation and abuse are great with IDNs. Here’s a snippet from a larger chart Holden put together showing some of the more common ways that IDNs can be made to look like established, recognizable domains:

Image: Hold Security.

Holden also was able to register a valid SSL encryption certificate for https://www.са.com from Comodo.com, which would only add legitimacy to the domain were it to be used in phishing attacks against CA customers by bad guys, for example. Continue reading →


20
Feb 18

Money Laundering Via Author Impersonation on Amazon?

Patrick Reames had no idea why Amazon.com sent him a 1099 form saying he’d made almost $24,000 selling books via Createspace, the company’s on-demand publishing arm. That is, until he searched the site for his name and discovered someone has been using it to peddle a $555 book that’s full of nothing but gibberish.

The phony $555 book sold more than 60 times on Amazon using Patrick Reames’ name and Social Security number.

Reames is a credited author on Amazon by way of several commodity industry books, although none of them made anywhere near the amount Amazon is reporting to the Internal Revenue Service. Nor does he have a personal account with Createspace.

But that didn’t stop someone from publishing a “novel” under his name. That word is in quotations because the publication appears to be little more than computer-generated text, almost like the gibberish one might find in a spam email.

“Based on what I could see from the ‘sneak peak’ function, the book was nothing more than a computer generated ‘story’ with no structure, chapters or paragraphs — only lines of text with a carriage return after each sentence,” Reames said in an interview with KrebsOnSecurity.

The impersonator priced the book at $555 and it was posted to multiple Amazon sites in different countries. The book — which as been removed from most Amazon country pages as of a few days ago — is titled “Lower Days Ahead,” and was published on Oct 7, 2017.

Reames said he suspects someone has been buying the book using stolen credit and/or debit cards, and pocketing the 60 percent that Amazon gives to authors. At $555 a pop, it would only take approximately 70 sales over three months to rack up the earnings that Amazon said he made.

“This book is very unlikely to ever sell on its own, much less sell enough copies in 12 weeks to generate that level of revenue,” Reames said. “As such, I assume it was used for money laundering, in addition to tax fraud/evasion by using my Social Security number. Amazon refuses to issue a corrected 1099 or provide me with any information I can use to determine where or how they were remitting the royalties.”

Reames said the books he has sold on Amazon under his name were done through his publisher, not directly via a personal account (the royalties for those books accrue to his former employer) so he’d never given Amazon his Social Security number. But the fraudster evidently had, and that was apparently enough to convince Amazon that the imposter was him.

Reames said after learning of the impersonation, he got curious enough to start looking for other examples of author oddities on Amazon’s Createspace platform.

“I have reviewed numerous Createspace titles and its clear to me that there may be hundreds if not thousands of similar fraudulent books on their site,” Reames said. “These books contain no real content, only dozens of pages of gibberish or computer generated text.” Continue reading →


12
Feb 18

Domain Theft Strands Thousands of Web Sites

Newtek Business Services Corp. [NASDAQ:NEWT], a Web services conglomerate that operates more than 100,000 business Web sites and some 40,000 managed technology accounts, had several of its core domain names stolen over the weekend. The theft shut off email and stranded Web sites for many of Newtek’s customers.

An email blast Newtek sent to customers late Saturday evening made no mention of a breach or incident, saying only that the company was changing domains due to “increased” security. A copy of that message can be read here (PDF).

In reality, three of their core domains were hijacked by a Vietnamese hacker, who replaced the login page many Newtek customers used to remotely manage their Web sites (webcontrolcenter[dot]com) with a live Web chat service. As a result, Newtek customers seeking answers to why their Web sites no longer resolved correctly ended up chatting with the hijacker instead.

The PHP Web chat client that the intruder installed on Webcontrolcenter[dot]com, a domain that many Newtek customers used to manage their Web sites with the company. The perpetrator can be seen in this chat using the name “admin.” Click to enlarge.

In a follow-up email sent to customers 10 hours later (PDF), Newtek acknowledged the outage was the result of a “dispute” over three domains, webcontrolcenter[dot]com, thesba[dot]com, and crystaltech[dot]com.

“We strongly request that you eliminate these domain names from all your corporate or personal browsers, and avoid clicking on them,” the company warned its customers. “At this hour, it has become apparent that as a result over the dispute for these three domain names, we do not currently have control over the domains or email coming from them.”

The warning continued: “There is an unidentified third party that is attempting to chat and may engage with clients when visiting the three domains. It is imperative that you do not communicate or provide any sensitive data at these locations.”

Newtek did not respond to requests for comment.

Domain hijacking is not a new problem, but it can be potentially devastating to the victim organization. In control of a hijacked domain, a malicious attacker could seamlessly conduct phishing attacks to steal personal information, or use the domain to foist malicious software on visitors.

Newtek is not just a large Web hosting firm: It aims to be a one-stop shop for almost any online service a small business might need. As such, it’s a mix of very different business units rolled up into one since its founding in 1998, including lending solutions, HR, payroll, managed cloud solutions, group health insurance and disaster recovery solutions.

“NEWT’s tentacles go deep into their client’s businesses through providing data security, human resources, employee benefits, payments technology, web design and hosting, a multitude of insurance solutions, and a suite of IT services,” reads a Sept. 2017 profile of the company at SeekingAlpha, a crowdsourced market analysis publication.

Newtek’s various business lines. Source: Newtek.

Continue reading →


9
Jan 18

Website Glitch Let Me Overstock My Coinbase

Coinbase and Overstock.com just fixed a serious glitch that allowed Overstock customers to buy any item at a tiny fraction of the listed price. Potentially more punishing, the flaw let anyone paying with bitcoin reap many times the authorized bitcoin refund amount on any canceled Overstock orders.

In January 2014, Overstock.com partnered with Coinbase to let customers pay for merchandise using bitcoin, making it among the first of the largest e-commerce vendors to accept the virtual currency.

On December 19, 2017, as the price of bitcoin soared to more than $17,000 per coin, Coinbase added support for Bitcoin Cash — an offshoot (or “fork”) from bitcoin designed to address the cryptocurrency’s scalability challenges.

As a result of the change, Coinbase customers with balances of bitcoin at the time of the fork were given an equal amount of bitcoin cash stored by Coinbase. However, there is a significant price difference between the two currencies: A single bitcoin is worth almost $15,000 right now, whereas a unit of bitcoin cash is valued at around $2,400.

On Friday, Jan. 5, KrebsOnSecurity was contacted by JB Snyder, owner of North Carolina-based Bancsec, a company that gets paid to break into banks and test their security. An early adopter of bitcoin, Snyder said he was using some of his virtual currency to purchase an item at Overstock when he noticed something alarming.

During the checkout process for those paying by bitcoin, Overstock.com provides the customer a bitcoin wallet address that can be used to pay the invoice and complete the transaction. But Snyder discovered that Overstock’s site just as happily accepted bitcoin cash as payment, even though bitcoin cash is currently worth only about 15 percent of the value of bitcoin.

To confirm and replicate Snyder’s experience firsthand, KrebsOnSecurity purchased a set of three outdoor solar lamps from Overstock for a grand total of $78.27.

The solar lights I purchased from Overstock.com to test Snyder’s finding. They cost $78.27 in bitcoin, but because I was able to pay for them in bitcoin cash I only paid $12.02.

After indicating I wished to pay for the lamps in bitcoin, the site produced a payment invoice instructing me to send exactly 0.00475574 bitcoins to a specific address.

The payment invoice I received from Overstock.com.

Logging into Coinbase, I took the bitcoin address and pasted that into the “pay to:” field, and then told Coinbase to send 0.00475574 in bitcoin cash instead of bitcoin. The site responded that the payment was complete. Within a few seconds I received an email from Overstock congratulating me on my purchase and stating that the items would be shipped shortly.

I had just made a $78 purchase by sending approximately USD $12 worth of bitcoin cash. Crypto-currency alchemy at last!

But that wasn’t the worst part. I didn’t really want the solar lights, but also I had no interest in ripping off Overstock. So I cancelled the order. To my surprise, the system refunded my purchase in bitcoin, not bitcoin cash!

Consider the implications here: A dishonest customer could have used this bug to make ridiculous sums of bitcoin in a very short period of time. Let’s say I purchased one of the more expensive items for sale on Overstock, such as this $100,000, 3-carat platinum diamond ring. I then pay for it in Bitcoin cash, using an amount equivalent to approximately 1 bitcoin ($~15,000).

Then I simply cancel my order, and Overstock/Coinbase sends me almost $100,000 in bitcoin, netting me a tidy $85,000 profit. Rinse, wash, repeat. Continue reading →


26
Dec 17

Skyrocketing Bitcoin Fees Hit Carders in Wallet

Critics of unregulated virtual currencies like Bitcoin have long argued that the core utility of these payment systems lies in facilitating illicit commerce, such as buying drugs or stolen credit cards and identities. But recent spikes in the price of Bitcoin — and the fees associated with moving funds into and out of it — have conspired to make Bitcoin a less useful and desirable payment method for many crooks engaged in these activities.

Bitcoin’s creator(s) envisioned a currency that could far more quickly and cheaply facilitate payments, with tiny transaction fees compared to more established and regulated forms of payment (such as credit cards). And indeed, until the beginning of 2017 those fees were well below $1, frequently less than 10 cents per transaction.

But as the price of Bitcoin has soared over the past few months to more than $15,000 per coin, so have the Bitcoin fees per transaction. This has made Bitcoin far less attractive for conducting small-dollar transactions (for more on this shift, see this Dec. 19 story from Ars Technica).

As a result, several major underground markets that traffic in stolen digital goods are now urging customers to deposit funds in alternative virtual currencies, such as Litecoin. Those who continue to pay for these commodities in Bitcoin not only face far higher fees, but also are held to higher minimum deposit amounts.

“Due to the drastic increase in the Bitcoin price, we faced some difficulties,” reads the welcome message for customers after they log in to Carder’s Paradise, a Dark Web marketplace that KrebsOnSecurity featured in a story last week.

“The problem is that we send all your deposited funds to our suppliers which attracts an additional Bitcoin transaction fee (the same fee you pay when you make a deposit),” Carder’s Paradise explains. “Sometimes we have to pay as much as 5$ from every 1$ you deposited.”

Continue reading →


18
Dec 17

The Market for Stolen Account Credentials

Past stories here have explored the myriad criminal uses of a hacked computer, the various ways that your inbox can be spliced and diced to help cybercrooks ply their trade, and the value of a hacked company. Today’s post looks at the price of stolen credentials for just about any e-commerce, bank site or popular online service, and provides a glimpse into the fortunes that an enterprising credential thief can earn selling these accounts on consignment.

Not long ago in Internet time, your typical cybercriminal looking for access to a specific password-protected Web site would most likely visit an underground forum and ping one of several miscreants who routinely leased access to their “bot logs.”

These bot log sellers were essentially criminals who ran large botnets (collections of hacked PCs) powered by malware that can snarf any passwords stored in the victim’s Web browser or credentials submitted into a Web-based login form. For a few dollars in virtual currency, a ne’er-do-well could buy access to these logs, or else he and the botmaster would agree in advance upon a price for any specific account credentials sought by the buyer.

Back then, most of the stolen credentials that a botmaster might have in his possession typically went unused or unsold (aside from the occasional bank login that led to a juicy high-value account). Indeed, these plentiful commodities held by the botmaster for the most part were simply not a super profitable line of business and so went largely wasted, like bits of digital detritus left on the cutting room floor.

But oh, how times have changed! With dozens of sites in the underground now competing to purchase and resell credentials for a variety of online locations, it has never been easier for a botmaster to earn a handsome living based solely on the sale of stolen usernames and passwords alone.

If the old adage about a picture being worth a thousand words is true, the one directly below is priceless because it illustrates just how profitable the credential resale business has become.

This screen shot shows the earnings panel of a crook who sells stolen credentials for hundreds of Web sites to a dark web service that resells them. This botmaster only gets paid when someone buys one of his credentials. So far this year, customers of this service have purchased more than 35,000 credentials he’s sold to this service, earning him more than $288,000 in just a few months.

The image shown above is the wholesaler division of “Carder’s Paradise,” a bustling dark web service that sells credentials for hundreds of popular Web destinations. The screen shot above is an earnings panel akin to what you would see if you were a seller of stolen credentials to this service — hence the designation “Seller’s Paradise” in the upper left hand corner of the screen shot.

This screen shot was taken from the logged-in account belonging to one of the more successful vendors at Carder’s Paradise. We can see that in just the first seven months of 2017, this botmaster sold approximately 35,000 credential pairs via the Carder’s Paradise market, earning him more than $288,000. That’s an average of $8.19 for each credential sold through the service.

Bear in mind that this botmaster only makes money based on consignment: Regardless of how much he uploads to Seller’s Paradise, he doesn’t get paid for any of it unless a Carder’s Paradise customer chooses to buy what he’s selling.

Fortunately for this guy, almost 9,000 different customers of Carder’s Paradise chose to purchase one or more of his username and password pairs. It was not possible to tell from this seller’s account how many credential pairs total that he has contributed to this service which went unsold, but it’s a safe bet that it was far more than 35,000.

[A side note is in order here because there is some delicious irony in the backstory behind the screenshot above: The only reason a source of mine was able to share it with me was because this particular seller re-used the same email address and password across multiple unrelated cybercrime services]. Continue reading →