Once your PC is hacked, your ecommerce passwords go on sale at $2 a pop


16 Responses to “Once your PC is hacked, your ecommerce passwords go on sale at $2 a pop”

  1. Funk Daddy says:

    $2 !…

    I feel as a victim I am being under-valued by my assailant 

  2. tyger11 says:

    It’s capitalism, baby!

  3. Finnagain says:

    Can I buy my passwords back?

  4. I do not have the capacity to do this, but if someone would create it I would buy if. There should be a program were a person could enter all of their potential usernames and passwords and it does a search of the internet and tells you every e-commerce accounts (or any account for that matter) opened up by you at any time. That way you could go through and close accounts you forgot about and make sure you passwords are being updated to account for new advances  in password cracking software. Internet it is yours. Go forth, be fruitful and create.

  5. Eark_the_Bunny says:

    I am wondering if it would be possible to “hack” these SOB’s back by spewing out thousands of false usernames and passwords.  Thus diluting the value of the information.  Maybe even get those turkeys in trouble with their customers for selling bad product.  Sort of like releasing sterilized male mosquitoes who mate with fertile females but their eggs never hatch.

    • angusm says:

      It does say working accounts, so presumably they have some way to verify that the username/password combination works before they list it for sale.

      If you did have some way to feed the bad guys fake user/pass combos, you might set things up so that the password gets set to a new random password every 2-3 days, increasing the chances of it going ‘bad’ between the time it’s tested and the time of sale. The bad guys could work around that pretty easily, though (“New passwords, guaranteed less than six hours old”).

      A possible approach might be for retailers to release ‘tripwire’ accounts: a given username/password combo would appear to work, but any time that it was used, no goods would be shipped and the attacker’s details would be captured. Any other transactions originating from the same IP (or with the same browser fingerprint) would be flagged for review. Again, the bad guys could get around this by using botnets or Tor routers.

      This particular arms race is very hard to win.

  6. Tracy_Flick says:

    I have a stupid question. Why is a username and password without credit card info attached valuable? Why would anyone care that I’m catlady123 at Amazon, and my password is 1stinkyhouse!, if they can’t use that to order anything?

    • Halloween_Jack says:

      Because lots of people have their credit card information stored online with Amazon (and other e-tailers), to facilitate things like one-click shopping.

      • Tracy_Flick says:

         But it says that accounts with credit card info attached go for a higher price. So doesn’t that imply that the ones they’re selling for the lower price don’t have credit card info attached?

        • Halloween_Jack says:

           It could be linked to an alternative payment system such as PayPal, or possibly the complete credit card info is stored in plaintext. Which sounds kind of crazy, I know, but who knows?

  7. bolamig says:

    So what’s the most common way of stealing passwords from an infected PC these days? Are they still using keyloggers or can they now crack the browser password cache?

    • Charlie B says:

      Seems like lately it’s trojans – usually java trojans.  Yet another reason to avoid Java on ythe endpoint, if Oracle’s ownership wasn’t enough.

  8. Bob Harvey says:

    How do I sell them. I could make a living making emails and selling the passwords.

Leave a Reply