Once your PC is hacked, your ecommerce passwords go on sale at $2 a pop

Brian Krebs writes about how hackers have expanded the ways they extract value from compromised PCs. No longer is a compromised machine merely good for forming part of a botnet or forwarding spam. New strains of malware extract all your login/passwords for ecommerce sites, and these are then put on sale at $2 a throw on sites like Freshtools.

Increasingly, miscreants are setting up their own storefronts to sell stolen credentials for an entire shopping mall of online retail establishments. Freshtools, for example, sells purloined usernames and passwords for working accounts at overstock.com, dell.com, walmart.com, all for $2 each. The site also sells fedex.com and ups.com accounts for $5 a pop, no doubt to enable fraudulent reshipping schemes. Accounts that come with credentials to the email addresses tied to each site can fetch a dollar or two more.

Another store widely advertised in the Underweb (see screenshot above) pimps credentials for a far broader array of retailers, most of which can be had for $2, including amazon.com, apple.com, autotrader.co.uk, bestbuy.com, bloomgingdales.com, bol.com, cdw.com, drugstore.com, ebay.co.uk, ebay.com, facebook.com, gamestop.com, gumtree.com, kohls.com, logmein.com, lowes.com, macys.com, mylikes.com, newegg.com, next.co.uk.com, okpay.com, paypal.com, payza.com, runescape.com, sephora.com, skype.com, target.com, toysrus.com, ukash.com, verizon.com, walmart.com, xoom.com and zappos.com. Accounts at these retailers that have credit cards or bank accounts tied to them command higher prices.

This a glimpse into the complex ecosystem of online crime. The person who writes the malware sells it to someone who's got a useful vector (a hacked website, say) for distributing it. The distributor extracts the ecommerce logins and flogs them to someone else who has access to a stooge who does freight forwarding. The freight forwarder acts as a dead-drop for some other crook who's wholesaling to dirty retailers, and so on. It's like a distributed badware version of Adam Smith's pin factory.

Exploring the Market for Stolen Passwords


        1. I do, but since I don’t have a credit card processor, you just have to send it to me, and trust that I will only spend $5 with it.

  1. I do not have the capacity to do this, but if someone would create it I would buy if. There should be a program were a person could enter all of their potential usernames and passwords and it does a search of the internet and tells you every e-commerce accounts (or any account for that matter) opened up by you at any time. That way you could go through and close accounts you forgot about and make sure you passwords are being updated to account for new advances  in password cracking software. Internet it is yours. Go forth, be fruitful and create.

  2. I am wondering if it would be possible to “hack” these SOB’s back by spewing out thousands of false usernames and passwords.  Thus diluting the value of the information.  Maybe even get those turkeys in trouble with their customers for selling bad product.  Sort of like releasing sterilized male mosquitoes who mate with fertile females but their eggs never hatch.

    1. It does say working accounts, so presumably they have some way to verify that the username/password combination works before they list it for sale.

      If you did have some way to feed the bad guys fake user/pass combos, you might set things up so that the password gets set to a new random password every 2-3 days, increasing the chances of it going ‘bad’ between the time it’s tested and the time of sale. The bad guys could work around that pretty easily, though (“New passwords, guaranteed less than six hours old”).

      A possible approach might be for retailers to release ‘tripwire’ accounts: a given username/password combo would appear to work, but any time that it was used, no goods would be shipped and the attacker’s details would be captured. Any other transactions originating from the same IP (or with the same browser fingerprint) would be flagged for review. Again, the bad guys could get around this by using botnets or Tor routers.

      This particular arms race is very hard to win.

  3. I have a stupid question. Why is a username and password without credit card info attached valuable? Why would anyone care that I’m catlady123 at Amazon, and my password is 1stinkyhouse!, if they can’t use that to order anything?

    1. Because lots of people have their credit card information stored online with Amazon (and other e-tailers), to facilitate things like one-click shopping.

      1.  But it says that accounts with credit card info attached go for a higher price. So doesn’t that imply that the ones they’re selling for the lower price don’t have credit card info attached?

        1.  It could be linked to an alternative payment system such as PayPal, or possibly the complete credit card info is stored in plaintext. Which sounds kind of crazy, I know, but who knows?

  4. So what’s the most common way of stealing passwords from an infected PC these days? Are they still using keyloggers or can they now crack the browser password cache?

    1. Seems like lately it’s trojans – usually java trojans.  Yet another reason to avoid Java on ythe endpoint, if Oracle’s ownership wasn’t enough.

Comments are closed.