Exploring The Underground Credentials Market

Stolen accounts from health-provider services may be used for subscription drug trading or for health information compromise. The latter can be used in blackmail operations, targeted sting operations or even for sale as “targeted” marketing data for the healthcare market.

Of particular interest to attackers are credentials for webmail applications. First, once a webmail application is hacked, the criminal can scrap the victim’s address book and use those addresses in spam lists. Taking it a step further, the criminal can send the phishing messages from the compromised account, creating a more reliable effect and increasing the success probability of the scam. Stolen webmail accounts may further allow compromise of other credential sets through the password recovery feature of applications. This feature usually sends the credentials of an online application to an email account designated by the owner upon registration.

Sifting through the online underground channels, we see that not all webmail credentials are considered equal in the black market. The credentials of a Hotmail account may fetch a mere $1.50, although a Gmail account may fetch more than $80 per account. The latter is probably due to the wide variety of other cloud services that can be accessed through one’s Gmail credentials. These include anything from personal or corporate GoogleDocs through to corporate Google Analytics and even Webmaster tools.

In the following screenshot taken from a hackers’ data exchange forum we see a sample of webmail username/ password combinations as posted by a hacker on the Internet:

Worthy of mentioning is also the fact that credentials used by a person for one application will most probably serve that person on other applications as well. This is driven by human nature and the limited ability to remember multiple credentials. Thus, it is not uncommon for people to have the same username and password used for their Facebook account as well as their Twitter account and their Airline Frequent Flyer account. This is especially true for applications that encourage (or even instruct) their registrants to use their webmail account as the application account name.

Stolen credentials to access social applications are considered nowadays of highest value, as described at the beginning of the article. Credentials to these social applications fetch a high sum according to the popularity of the application. For example, the credentials to a Facebook account may fetch higher value than a less-popular social application devoted to some niche community as the hacked account may reach more users.

To complete the picture, the amount a social network account may fetch rises according to the “popularity” of the account in question. This means that a Twitter account with hundreds of followers will be worth more than a Twitter account with just a dozen followers. The inherent viral behaviour of social networks, together with real-time updates in search engines, makes stolen social network accounts most valuable.

Recently a hacker posted to a black market forum the option to purchase 32 million username/ password combinations to different webmail accounts obtained by exploiting a vulnerability in RockYou.com site.

Honor amongst thieves

Needless to say, cyber-criminals need a place to sell and buy their online goods. Most of the online activity is performed in underground forums and IRC channels, although other private channels such as IM are used. In this article we focus on the main marketplace – underground forums and IRC channels. Separate forums exist for just about any type of malicious online activity such as viruses, botnets, phishing, credit card numbers or webmail credentials, to mention just a few. Similarly, IRC channels exist for each of these topics and others.

In an underground forum model, a user is required to login to the forum. Each forum has an administrator who manages the forum and is responsible for the management of the user’s trustworthiness score system. This is done by the administrator’s mechanism of “sticky threads” which defines the priority of the user’s message.