Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Admin Credentials For Sale At Cybercrime Factories

Trusteer : 09 February, 2012  (Technical Article)
Trusteer discovers bulk sales of credentials for accessing Social networking sites through cybercrime factory outlets
Admin Credentials For Sale At Cybercrime Factories
Trusteer Research has discovered two cybercrime rings that are advertising what Trusteer CTO Amit Klein refers to as a “Factory Outlet” of login credentials for different web sites including Facebook, Twitter and a leading website administration software called cPanel.

Financial malware, like Zeus, SpyEye and others, once it infects a machine, is configured to attack specific online banking web sites. In addition to online banking credentials, the malware also captures login credentials used by the victim’s machine to access other web sites and web applications.

To monetize the login credentials that pile up, fraudsters have started setting up “Factory Outlets” to sell them off.

In the advertisement below, cybercriminals are offering to sell login credentials to social network sites such as Facebook and Twitter belonging to users all over the world. These can be purchased in bulk, from specific countries (e.g. USA, UK, and Germany) and even coupled with additional personal information such as email addresses.

Although these advertisements do not mention the number of infected machines, the fraudsters claim that they have 80GB of stolen data from victims.

In another so called “Credential Factory Outlet Sale” advertisement, a botnet operator offers to sell login and URL information that would allow a fraudster to take control of certain web sites. Specifically, the advertiser is offering cPanel credentials. cPanel is the leading control panel application used to manage hosted websites. Why would somebody want to buy credentials to manage someone else’s web site remotely?

“One possible reason could be to plant malicious code on these sites that can exploit browser vulnerabilities and infect machines through drive-by-downloads,” says Klein. “Using phishing emails and social network messages cybercriminals can lure unsuspecting users to these sites. This is a common practice. As we indicated in a previous Blog, some cybercriminals have setup networks of web sites loaded with exploit code and sell malware drive-by download infections in bulk.”

This latest development provides a window into the vast cybercrime aftermarket that has risen up on the internet and been made possible by sophisticated malware. Whether it’s bulk drive-by download infections, bulk login credentials, pre-built web-injects, etc., criminals today have an unprecedented arsenal of tools at their disposal to attack banks and enterprises.

“A layered approach to security that includes deterministic detection capabilities on the endpoint is now central to fighting cybercrime. This approach looks for specific malware Crime Logic footprints in real-time before transactions are submitted so the online banking application can block fraud. It can also prevent malware on an infected machine from stealing login credentials, thus preventing them from ending up in these newly opened criminal ‘factory outlets’,” concludes Klein.

Trusteer contacted Facebook, Twitter and cPanel to advise them that they would be mentioned in this blog. Facebook requested that Trusteer pass on some information about their site’s security measures. Here’s a summary of their response:

* Facebook actively detects known malware on users' devices to provide Facebook users with a self-remediation procedure including the Scan-And-Repair malware scan
* Facebook has built robust internal systems that validate every single login to the Facebook site, regardless of whether the password is correct or not, to check for malicious activity. Analyzing every single login to the Facebook site has added a layer of security that protects Facebook users from threats both known and unknown

Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo