1.5 million Facebook accounts offered for sale - FAQ

1.5 million Facebook accounts offered for sale - FAQ

Summary: VeriSign's iDefense Intelligence Operations Team has spotted a underground market ad offering 1.5m Facebook accounts for sale.


In their latest "Weekly Threat report", VeriSign's iDefense Intelligence Operations Team has profiled the underground market proposition of someone claiming to have 1.5 million compromised Facebook accounts available for sale.

The pricing method is based on the number of contacts per compromised account, presumably with the idea to allow easier spreading of related malicious content across Facebook.

Here's an excerpt from the report, and a brief FAQ on the underground ad.

  • "On Feb. 10, 2010, (cybercriminal) stated that he or she is selling 1.5 million compromised Facebook accounts, in bulk quantities, belonging to users in various countries. The price per 1,000 accounts varies based upon the number of friends and contacts that each account possesses. For a purchase of compromised accounts containing 10 contacts or fewer, a buyer must pay $25 per 1,000 accounts. A purchase of compromised accounts containing 10 or more contacts requires a buyer to pay $45 per 1,000 accounts. Accounts containing zero contacts are also available for bulk purchasing from (cybercriminal), at the cost of $15 per 1,000 accounts. The prices of these accounts are presumably in USD or the equivalent amount in some form of electronic currency."

Sometimes, there's no honor among cybercriminals (Phishers increasingly scamming other phishers), just like there isn't among "real life" thieves.

From the distribution of backdoored web interfaces to web malware exploitation kits, to the actual "binding" of additional malware to the original release, sophisticated or at least cybercriminals with experience, have realized that there are thousands of potential cybercriminals that could unknowingly start working for them. The process of "cybercriminals attempting to scam novice cybercriminals" demonstrates just how vibrant the ecosystem has become these days.

With a huge percentage of the underground marketplace driven by reputation, this is exactly what this particular seller of Facebook data is missing. Moreover, with quality assurance now an inseparable part of the cybercrime ecosystem, the seller is not just skipping the time frame in between which the accounts were compromised, he is also not mentioning have many of them are actually verified as working.

These, and several other factors make me skeptical on the quality of this underground proposition.

If we consider that the cybercriminal's claims to be true, how did he manage to obtain 1.5 million Facebook accounts?

The ad is clearly stating that they are accounts with contacts, meaning they're compromised, and other which have zero contacts, meaning they've been automatically generated by outsourcing the CAPTCHA-solving process to international teams specializing in the process.

The compromised accounts could have been obtained through the emerging Cybercrime-as-a-Service (CaaS) market model. For instance, if he has paid $100 for 3GB of raw crimeware data, and the data mining allowed him to compile a list of 1.5m Facebook accounts, based on the current price, he'll automatically break-even.

Phishing campaigns shouldn't be excluded as a possibility, however, it remains unclear whether the seller has launched them personally, or managed to purchase the raw data from someone else.

What kind of a business model within the cybercrime ecosystem would allow him to sell the data so cheaply, and still make a profit?

It's a business model with an ever-decreasing cost of supply, based on the currently active "malicious economies of scale" phrase. This efficiency-driven cybercrime model is in fact so successful, that whether consciously or subconsciously, cybercriminals are realizing the basics of market liquidity, and the time value of "underground goods", in particular the decreasing future value of assets like the Facebook accounts -- the value becomes zero when the affected user changes his password from a malware-free host.

Why would a cybercriminal want access to your Facebook account?

For a variety of fraudulent reasons, all of them exploiting the already established trust relationship between the compromised account's holder and his network of friends.

From "money transfer schemes" where the fraudster is supposedly stuck somewhere and requires cash, to a malware campaign relying on nothing else but a status message leading to a client-side exploits serving site. Your network of friends, turns into his network for propagation of fraudulent/malicious schemes and campaigns.

VeriSign's iDefense also makes an interesting observation.

With Facebook's user base growing to 300 million people across the globe, this indispensable marketing platform can be easily integrated into the cybercriminal's arsenal, with localized and targeted social engineering attacks relying on basic market segmentation, launched with the idea to achieve a higher conversion rate, compared to mass marketing approaches.

Fact or fiction, based on the ad's content, this is perhaps the perfect time to change your Facebook password from a malware-free host, since a strong password is just as weak as the weak one in general if there's malicious code present on the system.

Topics: Security, Social Enterprise

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I wonder how much J Perlow's account was worth?

    Weight loss seminar

    Eat less, do more.

    That'll be $19.95, thanks.
    • How much is his annual pizza bill?

      ! :)
      Graham Ellison
    • First thing I thought

      That was the first thing I thought when I read this headline in my RSS feed this morning...
  • RE: 1.5 million Facebook accounts offered for sale - FAQ

    what won't people do to make money?
    • Wait.

      [b] [/b]
    • But how do you make money buying them?

      Are people putting their Credit Card numbers on FB? SSN's? What can you do with an address and a name that you can find millions of from so many other forums/county public records sites?

      If you are ignorant enough (not dumb, because you believe it is secure and it should be) to allow info on there other than what can be found elsewhere, without your choice, you were/are bound to get exposed somehere other than FB.

      Give your Credit Card to a restaurant to run a tab and they can easily get you - even if you run it at a convenience store or anywhere, you can be taken.

      Why is it that all news outlets want to focus on seemingly huge issues, when the impact is far less than implied? I hate news that tries to scare you into action - like Global Warming, er, I mean Climate change (2010 is the coldest avg. temps for much of the US over the past 30 years or more).

      Polar bears are not almost extinct, polar caps are not melting all over and are in fact growing in structure overall. Let's all build bomb shelters and canned food to last a lifetime.

      Just walking out your door there is a chance you will get ripped off. No sense living in a state of paranoia. Make others think about armageddon - that is where the money is, right oh inventor of the Internet?
      • Identity theft and low tech theft

        It's not about credit card theft (nor climate change, btw), it's about identity theft.

        Just some 6 months ago, a very good friend contacted me via FB, telling me that she got stranded in England after being mugged there and needed money to get home. In the beginning, it was indeed very convincing; however the person became a bit too pushy ("she" chatted with me via FB - so I had a live person that I spoke to) and I started to get some doubts.

        Anyway, I soon realized the scam and called my friend directly over the phone in Pittsburg. She then informed FB, after she realized that she couldn't even access her own account anymore.

        The crooks tried this with a bunch of her friends and actually managed to get $500 trhough Western Union from one. British Police tried to help but couldn't.

        It's a low tech method, indeed, and I am sure that there are much more sophisticated ways to monetize those stolen accounts.
    • work

      Get an honest job; people are falling for the same get rich schemes every day. And, as long as people are willing to part with their money, other people will use some scheme to help them, malware is a handy way to let lots of people know someone is out there willing to help them waste their money.
  • "Why would a cybercriminal want access to your Facebook account?"

    Simple. Gift more Farmville goodies to the scammers real
  • RE: 1.5 million Facebook accounts offered for sale - FAQ

    I'm sorry I signed up for facebook now. I'm going to cancel my account.
    • This by itself isn't reason to leave FB

      1.5 million accounts is less that 1/2 of 1 percent of Facebook users.
      There are plenty of other reasons to leave FB, but this is one only when
      added to the others.
  • RE: 1.5 million Facebook accounts offered for sale - FAQ

    You mean people will pay to know what I had for breakfast? Cool
  • RE: 1.5 million Facebook accounts offered for sale - FAQ

    It just goes to show that emperor actually wears no clothes.
    From weak passwords to malware as a service.
    The Internet is rapidly becoming the venue of choice for criminal activity.
    Really sux though!
    • I wouldn't worry too much

      Don't forget the guys that write this column make their living off making huge mountains out of tiny molehills.
  • RE: 1.5 million Facebook accounts offered for sale - FAQ

    These limitations of asciii-code when usciiiiii-code is the solution ready for the next generation of real intelligent and smartended computers without all these ascii-code and English lexical code imitations.
    Lets see how he or anyone can get my voiceprint special signin signature or my custom fingerprint signature or eyeprint and not just ascii code as security.
    • no login method is 100% secure . . .

      all of those things must still be converted to the digital,
      and as soon as it becomes digital it can be captured / logged by malware, spyware, etc. installed on the machine that captured & processed the login info

      there probably isn't any malware / spyware etc. yet capable of capturing such info as it's not in common use but if / when it becomes common use
      there will be a flood of new malware / spyware written to capture the new login methods

      > a clean system is the first step to preventing password theft
      > next is using a hard to crack password, including when allowed, using the alt + 3 digit & 4 digit extended character sets:
      alt+127 to 254
      alt+0127 to 0254

      both sets have many common characters but are produced by a different number
      alt+148 isn't the same as alt+0148
      alt+148 is the same as alt+0246
      Who Am I Really
      • Although what he said WAS pure BS, you're not totally right either.

        As long as you have some shared secret to begin with (like the key used in HTTPS), you can send whatever your password is, encrypted, and merged with some psuedo-random value
        so that it can't be replayed. This will work whether the source of the password is something you wrote on your keyboard, or your fingerprints, or whatever.
  • RE: 1.5 million Facebook accounts offered for sale - FAQ

    The real compromise to Facebook came when uninvited and strange friends began appearing and messages to attend unheard of events, and requests for support were pouring in. that is when I closed my account and reopened one as an esoteric person.
  • RE: 1.5 million Facebook accounts offered for sale - FAQ

    Does anyone remember when the internet was an "INFORMATION" highway?
    • Re: Information SuperHighway

      It still is mmeade...only it's YOUR information, and hackers are selling it for pennies on the dollar ;-)