According to researchers at Kaspersky Lab, cybercriminals are trying to sell hacked Twitter user names and passwords on-line for hundreds of dollars.
Since 2005, the bad guys have been developing new data-stealing malware that is now a growing problem on the Internet. Some of these programs look for banking passwords, others hunt for on-line gaming credentials. But the fastest-growing data stealers are generic spying programs that try to steal as much information as possible from their victims, said Kaspersky Researcher Dmitry Bestuzhev, speaking at a press event.
In 2009, Kaspersky identified about 70,000 of these programs — twice as many as the year before, and close to three times the number of banking password stealing programs.
They're popular because criminals are starting to realize that they can do better than simply swiping credit card numbers. Bestuzhev has seen Gmail accounts for sale on Russian hacker forums, (asking price 2,500 rubles, or $82) RapidShare accounts going for $5 per month, as well as Skype, instant messaging and Facebook credentials being offered.
Asking prices can vary greatly, depending on the name of the account and the number of followers, but attackers are looking for an initial, trusted, stepping stone from which to send malicious Twitter messages and, ideally, infect more machines.
Bestuzhev said that one Twitter account, with just over 320 followers, was offered at $1,000 in an underground hacker forum. The user's name was a simple three letter combination that Bestuzhev thought might make it more valuable to criminals. Compare that to an MSN account, which Bestuzhev has seen priced at €1 ($1.40). “The price for Twitter accounts is really high,” he said.
When the value of stolen credit cards and other types of credentials are added up, hackers can easily take in $1,000 worth of data from just one hacked computer, Bestuzhev said.
About 63% of all password stealing Trojan programs come from China, he said. The No. 2 source is Russia, which accounts for 12%.