February 8, 2012 By Amit Klein 3 min read

Researchers at IBM have discovered two cyber crime rings that are advertising what we refer to as a “factory outlet” of login credentials for different websites, including Facebook, Twitter and a leading website administration software called cPanel.

Once it infects a machine, financial malware is configured to attack specific online banking websites. In addition to online banking credentials, the malware also captures login credentials used by the victim’s machine to access other websites and Web applications.

To monetize the login credentials that pile up, fraudsters have started setting up factory outlets to sell them off.

A New Type of Cyber Crime

In the advertisement below, cyber criminals are offering to sell login credentials to social networking sites that belong to users from all over the world. These can be purchased in bulk from specific countries (e.g., the United States, United Kingdom and Germany) and can even be coupled with additional personal information, such as email addresses.

Although these advertisements do not mention the number of infected machines, the fraudsters claim that they have 80 GB of stolen data from victims.

In another so-called “credential factory outlet sale” advertisement, a botnet operator offers to sell login and URL information that would allow a fraudster to take control of certain websites. Specifically, the advertiser is offering cPanel credentials. cPanel is the leading control panel application used to manage hosted websites.

Why would somebody want to buy credentials to manage someone else’s website remotely? One possible reason could be to plant malicious code on these sites to exploit browser vulnerabilities and infect machines through drive-by downloads. Using phishing emails and social network messages, cyber criminals can lure unsuspecting users to these sites, a common practice. Some cyber criminals have set up networks of websites loaded with exploit code and sell malware for drive-by download infections in bulk.

This latest development provides a window into the vast cyber crime aftermarket that has risen on the Internet, which is made possible by sophisticated malware. Whether it’s bulk drive-by download infections, bulk login credentials or pre-built webinjects, criminals today have an unprecedented arsenal of tools at their disposal to attack banks and enterprises.

A layered approach to security that includes deterministic detection capabilities on the endpoint is now central to fighting cyber crime. This approach looks for specific malware crime logic footprints in real time before transactions are submitted, so the online banking application can block fraud. It can also prevent malware on an infected machine from stealing login credentials, thus preventing them from ending up in the newly opened criminal factory outlets.

Information From Facebook

We contacted Facebook, Twitter and cPanel to advise them that they would be mentioned in this blog. Facebook requested that we pass on some information about its security measures. Here is a summary of the company’s response:

  • Facebook actively detects known malware on users’ devices to provide users with a self-remediation procedure, including the Scan-and-Repair malware scan.
  • Facebook has built robust internal systems that validate every single login to the Facebook site, regardless of whether the password is correct, to check for malicious activity. Analyzing every single login to the Facebook site has added a layer of security that protects users from threats both known and unknown.
  • Any spam found on the Facebook site should be reported.

More from Malware

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today