By default, most bot malware will extract any passwords stored in the victim PC’s browser, and will intercept and record any credentials submitted in Web forms, such as when a user enters his credit card number, address, etc. at an online retail shop. Some of the most valuable data extracted from hacked PCs is bank login information. But non-financial logins also have value, particularly for shady online shops that collect and resell this information.From a frankly scary article at the often-scary Krebs on Security site, via Boing Boing, where the process is summarized as follows:
Logins for everything from Amazon.com to Walmart.com often are resold — either in bulk, or separately by retailer name — on underground crime forums...
Increasingly, miscreants are setting up their own storefronts to sell stolen credentials for an entire shopping mall of online retail establishments. Freshtools, for example, sells purloined usernames and passwords for working accounts at overstock.com, dell.com, walmart.com, all for $2 each. The site also sells fedex.com and ups.com accounts for $5 a pop, no doubt to enable fraudulent reshipping schemes. Accounts that come with credentials to the email addresses tied to each site can fetch a dollar or two more.
The person who writes the malware sells it to someone who's got a useful vector (a hacked website, say) for distributing it. The distributor extracts the ecommerce logins and flogs them to someone else who has access to a stooge who does freight forwarding. The freight forwarder acts as a dead-drop for some other crook who's wholesaling to dirty retailers, and so on.I don't have a sense that law enforcement organizations have much success (or incentive) in pursuing such crime. It seems that the losses are soaked up by retailers and banks and then passed on back to customers in the form of higher prices, while in the meantime the malefactors continue their ways. But I might be wrong.