Research has discovered two cybercrime rings that are advertising a “Factory Outlet” of login credentials for different web sites including Facebook, Twitter and a leading website administration software called cPanel.

Financial malware, like Zeus, SpyEye and others, once it infects a machine, is configured to attack specific online banking web sites. In addition to online banking credentials, the malware also captures login credentials used by the victim’s machine to access other web sites and web applications.

To monetise the login credentials that pile up, fraudsters have started setting up “Factory Outlets” to sell them off.

In the advertisement below, cybercriminals are offering to sell login credentials to social network sites such as Facebook and Twitter belonging to users all over the world. These can be purchased in bulk, from specific countries (e.g. USA, UK, and Germany) and even coupled with additional personal information such as email addresses.

Although these advertisements do not mention the number of infected machines, the fraudsters claim that they have 80GB of stolen data from victims.

In another so called “Credential Factory Outlet Sale” advertisement, a botnet operator offers to sell login and URL information that would allow a fraudster to take control of certain web sites. Specifically, the advertiser is offering cPanel credentials. cPanel is the leading control panel application used to manage hosted websites. Why would somebody want to buy credentials to manage someone else’s web site remotely?

One possible reason could be to plant malicious code on these sites that can exploit browser vulnerabilities and infect machines through drive-by-downloads. Using phishing emails and social network messages cybercriminals can lure unsuspecting users to these sites. This is a common practice. Some cybercriminals have setup networks of web sites loaded with exploit code and sell malware drive-by download infections in bulk.

This latest development provides a window into the vast cybercrime aftermarket that has risen up on the internet and been made possible by sophisticated malware. Whether it’s bulk drive-by download infections, bulk login credentials, pre-built web-injects, etc., criminals today have an unprecedented arsenal of tools at their disposal to attack banks and enterprises.

A layered approach to security that includes deterministic detection capabilities on the endpoint is now central to fighting cybercrime. This approach looks for specific malware Crime Logic footprints in real-time before transactions are submitted so the online banking application can block fraud. It can also prevent malware on an infected machine from stealing login credentials, thus preventing them from ending up in these newly opened criminal ‘factory outlets.

I contacted Facebook, Twitter and cPanel to advise them that they would be mentioned in this blog. Facebook requested that I pass on some information about their site’s security measures. Here’s a summary of their response:

  • Facebook actively detects known malware on users’ devices to provide Facebook users with a self-remediation procedure including the Scan-And-Repair malware scan
  • Facebook has built robust internal systems that validate every single login to the Facebook site, regardless of whether the password is correct or not, to check for malicious activity. Analysing every single login to the Facebook site has added a layer of security that protects Facebook users from threats both known and unknown
  • Please advise your readers to report to Facebook any spam they find on the Facebook site.