Cybercrooks set up ‘factory outlet’ for Facebook, Twitter login data

Cybercriminals have set up a “factory outlet” offering stolen login credentials for social networking sites Facebook and Twitter, a computer security firm has disclosed. Trusteer Research said it discovered two cybercrime rings advertising login credentials for different websites including Facebook, Twitter and a leading website administration software called cPanel. “In (their) advertisement... cybercriminals are offering to sell login credentials... belonging to users all over the world. These can be purchased in bulk, from specific countries (e.g. USA, UK, and Germany) and even coupled with additional personal information such as email addresses,” it said. Trusteer indicated the Facebook and Twitter login credentials did not appear to be the main target of the cybercriminals. Instead, it said the login data was captured along with banking website data that the criminal gangs were primarily targeting. “Financial malware, like Zeus, SpyEye and others, once it infects a machine, is configured to attack specific online banking web sites. In addition to online banking credentials, the malware also captures login credentials used by the victim’s machine to access other web sites and web applications,” it said. “To monetize the login credentials that pile up, fraudsters have started setting up ‘Factory Outlets’ to sell them off,” it added. It added that while the advertisements do not mention the number of infected machines, the fraudsters claim that they have 80 GB of stolen data from victims. Trusteer cited another so-called “Credential Factory Outlet Sale” advertisement where a botnet operator offers to sell login and URL information that would allow a fraudster to take control of certain web sites. “Specifically, the advertiser is offering cPanel credentials. cPanel is the leading control panel application used to manage hosted websites,” it said. It said one possible reason for exploiting the cPanel credentials could be to plant malicious code on these sites that can exploit browser vulnerabilities and infect machines through drive-by-downloads. “Using phishing emails and social network messages cybercriminals can lure unsuspecting users to these sites. This is a common practice. As we indicated in a previous Blog, some cybercriminals have setup networks of web sites loaded with exploit code and sell malware drive-by download infections in bulk,” Trusteer said. Cybercrime aftermarket Trusteer said this finding gives a glimpse of the vast cybercrime aftermarket made possible by sophisticated malware. “Whether it’s bulk drive-by download infections, bulk login credentials, pre-built web-injects, etc., criminals today have an unprecedented arsenal of tools at their disposal to attack banks and enterprises,” it said. It added a layered approach to security that includes deterministic detection capabilities on the endpoint is now central to fighting cybercrime. Such an approach looks for specific malware footprints in real time before transactions are submitted so the online banking application can block fraud. It can also prevent malware on an infected machine from stealing login credentials, thus preventing them from ending up in these newly opened criminal factory outlets, Trusteer said. Facebook security Trusteer said Facebook requested that it pass on some information about their site’s security measures, including: