How much are 5 gigabyte of stolen data worth? Well, it depends how lazy a fraudster you are.
Until a few years ago, Trojans were hardly ever sold in the underground. If they did, their high price – thousands of dollars for a source code that came with little documentation – deterred the average criminal.
But recently malware developers started to listen to the market and created user-friendly, cost effective Trojan kits. Zeus, a popular high-grade Trojan, sells for less than $1000. The feature set is admirable, the anti-virus evasiveness level superb, and
for those slow on the technical side, customer support is typically provided.
In 2007, Limbo, which I told about
here, started to sell for under $350 in some fraud forums. It quickly became the entry-level Trojan for many harvesting fraudsters.
There was only one problem: unlike more sophisticated Trojans, Limbo lacked a critical component: custom parsing of data.
Trojans such as Limbo are generic in nature. They are triggered by certain URLs, but once inside that website they'll record everything and dump it in a big raw data file. Afterwards the fraudster needs to sift through vast amount of credentials to fish
the ones that are of interest. Automatic parsing of data isn’t provided.
Which means that unlike Phishing, credentials collected via low-cost, popular Trojans are in complete disarray.
Initially this didn’t impact the pricing for compromised online banking credentials. Determined fraudsters simply worked harder to trace their lucrative loot of high-value credentials.
But the less sophisticated fraudsters that got their hands on Limbo found it tiresome to go through all this huge pile of data.
So instead, you started seeing posts in fraud forums saying something like: "I got five gigs from Limbo. PM me with offers".
Today these posts are becoming quite common. One particular fraudster requests $300 for 1 GB of stolen credentials from Limbo targeting UK banks. The offer was actually checked by one of the respected members of a forum, who said he got a sample of a few
megabytes of data, that it was too tiresome to actually validate what was inside, and that nevertheless he's giving the "verified vendor" status to the fraudster since it seems OK.
But in the highly competitive world of the fraud economy, selling blind dumps isn't likely to have high demand. So, how about an alternative?
RSA FraudAction Research Lab discovered a great offering for those fraudsters too lazy to configure their Trojan. You can read about it
here.
In a nutshell, for as little as $10 you can buy a custom HTML injection kit for a specific target; it can even check the balance for you. The next thing I'm sure these shops will offer are parsing templates that can sift through your pile of stolen credentials
and grab the useful data from the mountain of recorded junk.
It's just a matter of time.