Researchers at IBM have discovered two cyber crime rings that are advertising what we refer to as a “factory outlet” of login credentials for different websites, including Facebook, Twitter and a leading website administration software called cPanel.

Once it infects a machine, financial malware is configured to attack specific online banking websites. In addition to online banking credentials, the malware also captures login credentials used by the victim’s machine to access other websites and Web applications.

To monetize the login credentials that pile up, fraudsters have started setting up factory outlets to sell them off.

A New Type of Cyber Crime

In the advertisement below, cyber criminals are offering to sell login credentials to social networking sites that belong to users from all over the world. These can be purchased in bulk from specific countries (e.g., the United States, United Kingdom and Germany) and can even be coupled with additional personal information, such as email addresses.

Although these advertisements do not mention the number of infected machines, the fraudsters claim that they have 80 GB of stolen data from victims.

In another so-called “credential factory outlet sale” advertisement, a botnet operator offers to sell login and URL information that would allow a fraudster to take control of certain websites. Specifically, the advertiser is offering cPanel credentials. cPanel is the leading control panel application used to manage hosted websites.

Why would somebody want to buy credentials to manage someone else’s website remotely? One possible reason could be to plant malicious code on these sites to exploit browser vulnerabilities and infect machines through drive-by downloads. Using phishing emails and social network messages, cyber criminals can lure unsuspecting users to these sites, a common practice. Some cyber criminals have set up networks of websites loaded with exploit code and sell malware for drive-by download infections in bulk.

This latest development provides a window into the vast cyber crime aftermarket that has risen on the Internet, which is made possible by sophisticated malware. Whether it’s bulk drive-by download infections, bulk login credentials or pre-built webinjects, criminals today have an unprecedented arsenal of tools at their disposal to attack banks and enterprises.

A layered approach to security that includes deterministic detection capabilities on the endpoint is now central to fighting cyber crime. This approach looks for specific malware crime logic footprints in real time before transactions are submitted, so the online banking application can block fraud. It can also prevent malware on an infected machine from stealing login credentials, thus preventing them from ending up in the newly opened criminal factory outlets.

Information From Facebook

We contacted Facebook, Twitter and cPanel to advise them that they would be mentioned in this blog. Facebook requested that we pass on some information about its security measures. Here is a summary of the company’s response:

  • Facebook actively detects known malware on users’ devices to provide users with a self-remediation procedure, including the Scan-and-Repair malware scan.
  • Facebook has built robust internal systems that validate every single login to the Facebook site, regardless of whether the password is correct, to check for malicious activity. Analyzing every single login to the Facebook site has added a layer of security that protects users from threats both known and unknown.
  • Any spam found on the Facebook site should be reported.

More from Malware

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Raspberry Robin and Dridex: Two Birds of a Feather

IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality. Thus, IBM Security research draws another link between the Raspberry Robin infections and the Russia-based cybercriminal group 'Evil Corp,' which is the same…

The Ransomware Playbook Mistakes That Can Cost You Millions

If there is one type of cyberattack that can drain the color from any security leader’s face, it’s ransomware. A crippling, disruptive, and expensive attack to recover from, with final costs rarely being easy to foretell. Already a prevalent threat, the number of ransomware attacks rose during the pandemic and nearly doubled in the year between 2020 and 2021, continuing to rise since. Focusing on the extortion price of these attacks, the cost of a ransomware attack can appear finite…

From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers

A comparative analysis performed by IBM Security X-Force uncovered evidence that suggests Bumblebee malware, which first appeared in the wild last year, was likely developed directly from source code associated with the Ramnit banking trojan. This newly discovered connection is particularly interesting as campaign activity has so far linked Bumblebee to affiliates of the threat group ITG23 (aka the Trickbot/Conti group), who are not known to have had a previous connection with Ramnit. This year has so far proven tumultuous…