
Researchers hijack botnet, score 56,000 passwords in an hour - alexandros
http://arstechnica.com/security/news/2009/05/researchers-hijack-botnet-score-56000-passwords-in-an-hour.ars
======
CalmQuiet
OK, it's great to be able to crack the crackers...

The Ars summary of the report seems strange (I've not read the whole pdf) in a
couple ways:

They talk about percentages of _private behavior_ getting scooped, but not
about percentages or numbers of credit card or bank account users/passwords
(which they indicate were the primary targets of the botnets).

And weirdly, Ars says, "Torpig controllers may have exploited these
credentials for between $83,000 and $8.3 million during that time period..."
Funny numbers. ?it just _happens_ that the range is 8.3 x 10 __4 to 8.3 x 10
__6 ? Makes me wonder about overall accuracy of post/report.

~~~
aneesh
Well, Torpig obtained credentials for 8310 accounts, so I'm guessing that's
just a $10-1000 estimate of the loss per account. But from my experience,
$1000 per compromised account seems quite a bit on the high side for credit
card accounts (I have no idea about average loss for stolen brokerage
accounts).

Edit: From the pdf

 _"A report by Symantec [37] indicated (loose) ranges of prices for common
goods and, in particular, priced credit cards between $0.10-$25 and bank
accounts from $10-$1,000. If these ﬁgures are accurate, in ten days of
activity, the Torpig controllers may have proﬁted anywhere between $83k and
$8.3M."_

As an aside, these amounts are a good reason you should you your credit card
instead of your debit card.

------
jmatt
_The researchers noted, too, that nearly 40 percent of the credentials stolen
by Torpig were from browser password managers, and not actual login sessions,
and that the Torpig controllers may have exploited these credentials for
between $83,000 and $8.3 million during that time period._

I am surprised that browser password managers are so insecure. This seems like
a place that browsers could improve.

~~~
zacharydanger
Firefox stores your passwords in plaintext unless you specify a master
password (that has to be entered each time you open Firefox) to encrypt them.

~~~
tjmc
Problem is that a simple keylogger could get that too...

------
mynameishere
Why is it so hard to prosecute these people? At some point, the bots are going
to have to phone home, and that's got to be discernible. I mean, just
purposefully infect a machine, feed it some CC numbers and keep an eye on it.
What's the problem?

~~~
ScottWhigham
Really? I'll spend a max of two mins on this.

(a) Which global task force does this fall under?

(b) Who pays for the research, prosecution, and housing of inmates?

(c) Who pays for the astronomical travel/M&E costs for traipsing the globe to
catch ip addresses?

(d) Is what they are doing actually illegal in the country they live in?

(e) Who pays for the legal teams who have to go to every single ISP and ask
for records?

etc, etc, etc

