Fraudsters Selling Login Credentials for Facebook, Twitter in Bulk

Researchers at IBM have discovered two cyber crime rings that are advertising what we refer to as a “factory outlet” of login credentials for different websites, including Facebook, Twitter and a leading website administration software called cPanel.

Once it infects a machine, financial malware is configured to attack specific online banking websites. In addition to online banking credentials, the malware also captures login credentials used by the victim’s machine to access other websites and Web applications.

To monetize the login credentials that pile up, fraudsters have started setting up factory outlets to sell them off.

A New Type of Cyber Crime

In the advertisement below, cyber criminals are offering to sell login credentials to social networking sites that belong to users from all over the world. These can be purchased in bulk from specific countries (e.g., the United States, United Kingdom and Germany) and can even be coupled with additional personal information, such as email addresses.

In this advertisement, cyber criminals are offering to sell login credentials to social networking sites that belong to users from all over the world. These can be purchased in bulk from specific countries and can even be coupled with additional info.

Although these advertisements do not mention the number of infected machines, the fraudsters claim that they have 80 GB of stolen data from victims.

In another so-called “credential factory outlet sale” advertisement, a botnet operator offers to sell login and URL information that would allow a fraudster to take control of certain websites. Specifically, the advertiser is offering cPanel credentials. cPanel is the leading control panel application used to manage hosted websites.

Why would somebody want to buy credentials to manage someone else’s website remotely? One possible reason could be to plant malicious code on these sites to exploit browser vulnerabilities and infect machines through drive-by downloads. Using phishing emails and social network messages, cyber criminals can lure unsuspecting users to these sites, a common practice. Some cyber criminals have set up networks of websites loaded with exploit code and sell malware for drive-by download infections in bulk.

This latest development provides a window into the vast cyber crime aftermarket that has risen on the Internet, which is made possible by sophisticated malware. Whether it’s bulk drive-by download infections, bulk login credentials or pre-built webinjects, criminals today have an unprecedented arsenal of tools at their disposal to attack banks and enterprises.

A layered approach to security that includes deterministic detection capabilities on the endpoint is now central to fighting cyber crime. This approach looks for specific malware crime logic footprints in real time before transactions are submitted, so the online banking application can block fraud. It can also prevent malware on an infected machine from stealing login credentials, thus preventing them from ending up in the newly opened criminal factory outlets.

Information From Facebook

We contacted Facebook, Twitter and cPanel to advise them that they would be mentioned in this blog. Facebook requested that we pass on some information about its security measures. Here is a summary of the company’s response:

  • Facebook actively detects known malware on users’ devices to provide users with a self-remediation procedure, including the Scan-and-Repair malware scan.
  • Facebook has built robust internal systems that validate every single login to the Facebook site, regardless of whether the password is correct, to check for malicious activity. Analyzing every single login to the Facebook site has added a layer of security that protects users from threats both known and unknown.
  • Any spam found on the Facebook site should be reported.
Share this Article:
Amit Klein

CTO, Trusteer, an IBM company

As Trusteer’s CTO, Amit Klein is responsible for researching and introducing game changing technologies into Trusteer’s products, with particular focus on Turtseer’s enterprise solutions. Prior to that, Mr. Klein established, managed and grew the company’s security group, which is one of the world’s leading financial malware research groups. Prior to Trusteer, Mr. Klein was Chief Scientist at Cyota Inc. (acquired by RSA Security), a leading provider of layered authentication solutions. In this role, Mr. Klein researched technologies that prevent online fraud, phishing, and pharming and filed several patents in those areas. Prior to this, Mr. Klein worked as Director of Security and Research at Sanctum, Inc. (acquired by Watchfire, now part of IBM Security Systems), where he was responsible for the security content of all Sanctum products. Mr. Klein holds a B.Sc. (cum laude) in Mathematics and Physics from the Hebrew University of Jerusalem (through IDF’s Talpiot programme). Mr. Klein is a world-renowned security researcher, having published more than thirty articles, papers and technical notes on the topic of Internet security. He was named CTO of the Year by InfoWorld Magazine and has presented at many prestigious conferences including RSA US, FSISAC, OWASP, Microsoft BlueHat, InterOp USA, AusCERT and CertConf.