New fraudster-friendly content management systems are making it more likely than ever that crooks who manage botnets and other large groupings of hacked PCs will extract and sell all credentials of value that can be harvested from the compromised machines.
I’ve often observed that botmasters routinely fail to fully eat what they kill. That is, they tend to chronically undervalue the computers at their disposal, and instead focus on extracting specific resources from hacked PCs, such as using them as spam relays or harvesting online banking credentials. Meanwhile, other assets on the hacked PC that have street value go unused and “wasted” from the fraudster’s perspective.
More often, when miscreants do seek to extract and monetize all of the account credentials from their hacked PCs, they do so by selling access to their raw botnet “logs” — huge text files that document the notable daily activities of the botted systems. To borrow from another food metaphor, this is the digital equivalent of small farms selling their fruits and vegetables as “pick-your-own;” such commerce produces some added revenue without requiring much more work on the seller’s part.
Recently, I’ve been spotting more online fraud shops set up using what appear to be pre-set templates that can be used to sell all manner of credentials from hacked PCs. These shops all sell credit and debit card information, of course, but also lists of emails culled from victim computers, hacked VPN and RDP credentials, Cpanel installations, PHP mailers, FTP access, SSH logins, and online gambling accounts. Some of the panels are even reselling hacked credentials at popular porn sites. Goods can be purchased via virtual currencies such as Perfect Money and bitcoin.
The shop shown below — blackhatstore[dot]ru — borrows the trademarked image of the Black Hat security conference franchise. It’s sometimes said that there’s no such thing as bad press, but I’m pretty sure the folks at Black Hat don’t want their brand advertised or associated in this way (by the way, I’ll be speaking at this year’s Black Hat in Las Vegas next week). I alerted the Black Hat organizers to this fraudulent site, so I wouldn’t expect it to remain live much longer.