Researchers at IBM have discovered two cyber crime rings that are advertising what we refer to as a “factory outlet” of login credentials for different websites, including Facebook, Twitter and a leading website administration software called cPanel.

Once it infects a machine, financial malware is configured to attack specific online banking websites. In addition to online banking credentials, the malware also captures login credentials used by the victim’s machine to access other websites and Web applications.

To monetize the login credentials that pile up, fraudsters have started setting up factory outlets to sell them off.

A New Type of Cyber Crime

In the advertisement below, cyber criminals are offering to sell login credentials to social networking sites that belong to users from all over the world. These can be purchased in bulk from specific countries (e.g., the United States, United Kingdom and Germany) and can even be coupled with additional personal information, such as email addresses.

Although these advertisements do not mention the number of infected machines, the fraudsters claim that they have 80 GB of stolen data from victims.

In another so-called “credential factory outlet sale” advertisement, a botnet operator offers to sell login and URL information that would allow a fraudster to take control of certain websites. Specifically, the advertiser is offering cPanel credentials. cPanel is the leading control panel application used to manage hosted websites.

Why would somebody want to buy credentials to manage someone else’s website remotely? One possible reason could be to plant malicious code on these sites to exploit browser vulnerabilities and infect machines through drive-by downloads. Using phishing emails and social network messages, cyber criminals can lure unsuspecting users to these sites, a common practice. Some cyber criminals have set up networks of websites loaded with exploit code and sell malware for drive-by download infections in bulk.

This latest development provides a window into the vast cyber crime aftermarket that has risen on the Internet, which is made possible by sophisticated malware. Whether it’s bulk drive-by download infections, bulk login credentials or pre-built webinjects, criminals today have an unprecedented arsenal of tools at their disposal to attack banks and enterprises.

A layered approach to security that includes deterministic detection capabilities on the endpoint is now central to fighting cyber crime. This approach looks for specific malware crime logic footprints in real time before transactions are submitted, so the online banking application can block fraud. It can also prevent malware on an infected machine from stealing login credentials, thus preventing them from ending up in the newly opened criminal factory outlets.

Information From Facebook

We contacted Facebook, Twitter and cPanel to advise them that they would be mentioned in this blog. Facebook requested that we pass on some information about its security measures. Here is a summary of the company’s response:

  • Facebook actively detects known malware on users’ devices to provide users with a self-remediation procedure, including the Scan-and-Repair malware scan.
  • Facebook has built robust internal systems that validate every single login to the Facebook site, regardless of whether the password is correct, to check for malicious activity. Analyzing every single login to the Facebook site has added a layer of security that protects users from threats both known and unknown.
  • Any spam found on the Facebook site should be reported.

More from Malware

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

ITG10 likely targeting South Korean entities of interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

Ransomware renaissance 2023: The definitive guide to stay safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

BlackCat (ALPHV) ransomware levels up for stealth, speed and exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…