Researchers at IBM have discovered two cyber crime rings that are advertising what we refer to as a “factory outlet” of login credentials for different websites, including Facebook, Twitter and a leading website administration software called cPanel.

Once it infects a machine, financial malware is configured to attack specific online banking websites. In addition to online banking credentials, the malware also captures login credentials used by the victim’s machine to access other websites and Web applications.

To monetize the login credentials that pile up, fraudsters have started setting up factory outlets to sell them off.

A New Type of Cyber Crime

In the advertisement below, cyber criminals are offering to sell login credentials to social networking sites that belong to users from all over the world. These can be purchased in bulk from specific countries (e.g., the United States, United Kingdom and Germany) and can even be coupled with additional personal information, such as email addresses.

Although these advertisements do not mention the number of infected machines, the fraudsters claim that they have 80 GB of stolen data from victims.

In another so-called “credential factory outlet sale” advertisement, a botnet operator offers to sell login and URL information that would allow a fraudster to take control of certain websites. Specifically, the advertiser is offering cPanel credentials. cPanel is the leading control panel application used to manage hosted websites.

Why would somebody want to buy credentials to manage someone else’s website remotely? One possible reason could be to plant malicious code on these sites to exploit browser vulnerabilities and infect machines through drive-by downloads. Using phishing emails and social network messages, cyber criminals can lure unsuspecting users to these sites, a common practice. Some cyber criminals have set up networks of websites loaded with exploit code and sell malware for drive-by download infections in bulk.

This latest development provides a window into the vast cyber crime aftermarket that has risen on the Internet, which is made possible by sophisticated malware. Whether it’s bulk drive-by download infections, bulk login credentials or pre-built webinjects, criminals today have an unprecedented arsenal of tools at their disposal to attack banks and enterprises.

A layered approach to security that includes deterministic detection capabilities on the endpoint is now central to fighting cyber crime. This approach looks for specific malware crime logic footprints in real time before transactions are submitted, so the online banking application can block fraud. It can also prevent malware on an infected machine from stealing login credentials, thus preventing them from ending up in the newly opened criminal factory outlets.

Information From Facebook

We contacted Facebook, Twitter and cPanel to advise them that they would be mentioned in this blog. Facebook requested that we pass on some information about its security measures. Here is a summary of the company’s response:

• Facebook actively detects known malware on users’ devices to provide users with a self-remediation procedure, including the Scan-and-Repair malware scan.
• Facebook has built robust internal systems that validate every single login to the Facebook site, regardless of whether the password is correct, to check for malicious activity. Analyzing every single login to the Facebook site has added a layer of security that protects users from threats both known and unknown.
• Any spam found on the Facebook site should be reported.