As in the case of every ecosystem, as the ecosystem matures, specialization takes place. This is even true in the Deep & Dark Web. Flashpoint has recently encountered an example of this trend – A marketplace “Account Shop” that (a) specializes in online credentials only and (b) obtains them by taking “spent” logs from cybercriminals and scavenging them for online account access credentials.
Bank account takeover fraud represents the major source of income for financially motivated cybercriminals. It therefore follows that a large percentage of malicious activity on the Internet supports a singe objective: to steal authentication credentials, which may range from logins, passwords, and device IDs, to answers to security questions, or one-time tokens.
Just like in any commercial enterprise, limited resources are allocated to maximize returns. Laundering money from compromised accounts is by far the most labor-intensive process in the fraud chain. As the result, cybercriminal groups usually target compromising the banking accounts of a small number of financial institutions.
While the number of successfully compromised online banking accounts needs not be large, infected machines needed to harvest the credentials tend to involve tens or hundreds or thousands of infected personal computers. For example, consider a bank that has market share of 1% of all deposit accounts within a given territory. Statistically, in order to compromise 1 account, the criminal organization would need to infect 100 machines. If the criminal organization maintains the capacity to draw down 10 compromised accounts per week, the requirement becomes to infect 1,000 new machines each week.
Victims’ activity logs are periodically exfiltrated from the infected machines to the command-and-control server. The logs are then parsed for the needed information for the targeted institutions. Once the logins and passwords for the target institutions are extracted, the logs are considered “spent” even though they may contain a number of credentials for other institutions. However, the cybercriminals, focused on a specific target, see limited residual value in this additional information.
Enter the Scavengers
A relatively new trend is the appearance of reputable brokers who, like scavengers, sweep up spent logs from the cybercriminal community, parse them for all credentials, and post the results for sale. These brokers will start to play an increasingly important role in creating value for what was only recently considered waste.
An example of this trend is the nascent “Account Shop” marketplace. Its proprietors purchase spent logs in bulk, parse them for credential pairs, and lists the results on their website. Launched in July 2015 as a TOR website, the marketplace currently lists for sale online credentials for 110 US banks and credit unions, a range of online payment systems, and large retailers.
Given the exuberant reviews received since its launch, the marketplace can be expected to continue attracting both new customers and suppliers of botnet logs as it builds momentum. Assuming the business model proves viable, it is likely that other players will enter the market, providing technically unskilled fraudsters with an increasingly wide range of income opportunities.
The unfortunate adage goes: “You’ve been hacked, you just don’t know it yet.” In truth, even the criminals don’t know all that they have—thus far, most simply hadn’t bothered to check what they have access to. By all appearances, brokers of spent logs are motivated to find out.