Most of the “popular” Internet botnets are quite adept at identity and credential theft. Granted, this is usually just the first phase of a successful botnet breach and the lowest hanging (digital) fruit, but it remains one of the more profitable data streams for the botnet’s criminal operators.
However there’s a big gap between criminals that know how to build a botnet and automatically steal tens-of-thousands of identities, and those that are capable of really monetizing the stolen credentials. In most cases the folks who can turn a stolen identity (or the keys to an online bank account) in to cold hard cash aren’t the same as the folks tuning the scripts behind the latest e-banking phishing scam or banking Trojan.
So, if you happen to be a semi-skilled botnet operator with control over 50,000 victim computers and along the way have managed to extract some 40,000 user identities and 2,000 online banking credentials, the question quickly becomes “how do I find someone willing to pay me for this data?”
You could go to any number of hacker or carder Web sites and offer your goodies up for sale there. That’s getting a little tougher nowadays though. Many of these “hacker” sites are run by (or cooperate with) law enforcement. Details about who you are, where you’re connecting from, how big a player you are, etc. are all up for grabs and, as such, these forums have increasingly become “less reliable” over the last 3-5 years.
Paste Bins
One increasingly popular vehicle for botnet operators and identity thefts to “advertise” their latest caches of stolen goodies are the paste bins. Paste bin sites were originally conceived as places where developers could conveniently share source code and other notes etc. without having to worry too much about the codes formatting getting corrupted, and to bypass many of the problems associated with trying to share code segments over email, HTML formatting, and long streams of source code.
Apart from the ability to host a lot of textual information for free – making it ripe for spam abuse – paste bins typically allow visitors to make anonymous postings, which is ideal for botnet criminals seeking buyers for their stolen data.
Anyhow, I was discussing this aspect of pate bins with a colleague here at the office earlier today and figured I’d share some information about how paste bins are being used to perpetuate crime, and how their popularity has been increasing.
Paste bins are also very interesting from a threat research perspective. Despite being anonymous, they typically have well indexed pages – which means that they’re very easy to search.
For example, if you’re in the market for some stolen credentials you’ll find thousands of advertising posts such as the following:

As you’d expect, there is plenty of information out there and up for sale and the sellers are easy enough to track down and engage in conversation – offering up email addresses, ICQ/IRC numbers, phone numbers, etc.
In general, credentials and stolen banking details are sold in batches (i.e. in bulk), and most of the advertisers provide a lot of detail about the quality/freshness/scope of their data. For example, the following depicts the level of detail associated with the credit cards that are available (in batches of 1,000 cards).

I’ve pixelated some of the example above (and below) to hide the real victims credentials that have been offered up by the criminal as a sample. In many cases the criminals doing the advertizing have so much data available for sale that they display swathes of samples – typically designed to show the depth of detail and “freshness” of the stolen credentials. For example, the following criminal is selling batches of stolen MasterCard credentials…

(Click to enlarge)
How do you uncover these details? Well, there’s the easy way and then there’s the hard way. The easy way is to visit the various paste bin Web sites and use their local search engine to hunt for key words such as “MasterCard” or “CardType:” etc.
Then there’s the hard way – you can use Google. OK, so it’s not really that hard. The point is that it’s easy to uncover these criminal advertisements. For example, the following reveals 800+ recent ads on the popular Pastebin.com site…

It’s important to point out that these advertisements aren’t exclusive to the various paste bin sites – they’re just another vehicle for the criminals to hook up with other criminals and sell their stolen goodies. For example, doing a search for just one of the stolen (but freely available) MasterCard numbers offered up in the earlier screen shot revealed another 127 different sites hosting the same criminal ad.
You’ll find the paste bins sites being abused in a lot of different ways, but they’re increasingly being used as a convenient source of anonymous criminal advertising and for sharing stolen data (both encrypted and unencrypted).
Meanwhile, simple Google searches such as “facebook.com site:pastebay.com” will yield lists of thousands of stolen Facebook credentials…

I’m hoping that the various paste bin providers will help clean up the situation – but I’m not planning on holding my breath while they do so.
– Gunter Ollmann, VP Research