27 December 2012

Passwords stolen from your computer will be sold for $2 each

By default, most bot malware will extract any passwords stored in the victim PC’s browser, and will intercept and record any credentials submitted in Web forms, such as when a user enters his credit card number, address, etc. at an online retail shop. Some of the most valuable data extracted from hacked PCs is bank login information. But non-financial logins also have value, particularly for shady online shops that collect and resell this information.

Logins for everything from Amazon.com to Walmart.com often are resold — either in bulk, or separately by retailer name — on underground crime forums...

Increasingly, miscreants are setting up their own storefronts to sell stolen credentials for an entire shopping mall of online retail establishments. Freshtools, for example, sells purloined usernames and passwords for working accounts at overstock.com, dell.com, walmart.com, all for $2 each. The site also sells fedex.com and ups.com accounts for $5 a pop, no doubt to enable fraudulent reshipping schemes. Accounts that come with credentials to the email addresses tied to each site can fetch a dollar or two more.
From a frankly scary article at the often-scary Krebs on Security site, via Boing Boing, where the process is summarized as follows:
The person who writes the malware sells it to someone who's got a useful vector (a hacked website, say) for distributing it. The distributor extracts the ecommerce logins and flogs them to someone else who has access to a stooge who does freight forwarding. The freight forwarder acts as a dead-drop for some other crook who's wholesaling to dirty retailers, and so on.
I don't have a sense that law enforcement organizations have much success (or incentive) in pursuing such crime.  It seems that the losses are soaked up by retailers and banks and then passed on back to customers in the form of higher prices, while in the meantime the malefactors continue their ways.  But I might be wrong.


  1. There is success as well:

    But yes these operations are very difficult to execute because offenders usually are out of jurisdiction.

  2. I sent this post to my son, who is a software engineer at Apple headquarters, and here is his (admittedly Mac-centric) response, which I think might interest you:

    This is just fearmongering. There's no reason for paranoia.

    1. There is no Mac malware that does any of that.
    2. This is only a vulnerability for Internet Explorer and Firefox users who store their passwords in the browser without setting a master password that controls access. Passwords in Mac web browsers like Safari and Chrome are stored in the Keychain, encrypted with the system password and therefore not accessible to any random malware, unless it can furthermore trick you into unlocking your keychain. If you're that gullible, you've already probably bought a few bridges in Brooklyn.
    3. None of this is remotely new or newsworthy. Malware has been able to record keystrokes and unsecured passwords stored in shitty, insecure web browsers on shitty, unsecured operating systems since there has been malware.

    Your best line of defense is, as always, not using Windows and not installing malware. The entire article reads a bit like, "Burglars in your house can steal your money and kidnap your daughter!" How about you don't let the burglars enter your house in the first place!?

    If burglars/malware are already inside your house/computer, there's no real limit to the damage they can do unless you shoot them/uninstall it. Just don't install unfamiliar software and you'll be fine.

  3. It sounds bad, but it's just a cost of doing business. Shoplifters get $13.5 billion in goods every year, none from Amazon. In a $15 trillion economy, it's a rounding error.



Related Posts Plugin for WordPress, Blogger...