

Ask HN: What do hackers do with stolen passwords? - JessB

So you get your passwords stollen with a keylogger or some other malware.  What does a hacker do with stolen passwords?  Whats the end game?  Where is the financial motive for the hacker?
======
byoung2
There is a good chance that the person whose password is stolen uses that
password on other sites. I guarantee you that if you steal enough usernames
and passwords, you'll find a lot of people who use the same credentials for
their email, bank, PayPal, etc. Actually, they just need your email, and from
there they can reset your other passwords and click the confirm link once it
goes to your email.

The financial incentives can vary...they can make fraudulent purchases,
transfer money, steal domain names, hack sites, you name it.

EDIT: For a real-life example, when I worked at Internet Brands (makers of
vBulletin), a hacker managed to obtain administrator passwords on sites we
owned running vBulletin. He then used that administrator's account to install
a plugin that gave him access to the whole user database. He then used that
database to log into other sites we owned (it is possible to google a
vBulletin username to see what other sites they are members of). Once he had
admin access on a dozen or so sites, he added dupedb.com links to all of them.

~~~
JessB
So the end game would be to transfer money out of bank accounts and paypal? Is
it really that easy to do. Seems like it would leave one hell of a trail.

Whats the end game in stealing domain names and hacking sites. There has got
to be a financial motivator somewhere in the chain.

Thanks for the info.

~~~
byoung2
_Whats the end game in stealing domain names and hacking sites. There has got
to be a financial motivator somewhere in the chain._

In the case of the vBulletin hacks, the dozen or so sites hacked were all PR4
and above. The guess the idea there is that Google crawls these sites
regularly, and it would find hundreds of inlinks to the hacker's site, giving
him a boost in the rankings.

As far as PayPal and banks go, you're right, it would leave quite a trail if
the hacker started sending money to his accounts from yours. Instead, the
hacker might log into your PayPal account to get additional info, such as the
billing address for each of your credit cards (easy to find under
Profile>Credit Cards). He can log into your bank website to find the full
credit card number or account numbers and routing numbers along with the
billing address, and a nice history of purchases. It would be easy to disguise
a fraudulent purchase by making it the same amount as a purchase you regularly
make.

------
dirktheman
Keyloggers (often malware, so not intentionally put there by some hacker)
download the passwords for your FTP sites, and alter some of the pages on the
websites you have FTP data from. They will use your websites to send spam.

~~~
JessB
Why do they send spam from other websites? What is the benefit to sending spam
from a hacked site as opposed to one you just register yourself?

~~~
byoung2
Every time someone clicks "report spam" in their email program, it gets
logged, and with enough flags, and IP gets banned. Sometimes the lifetime of a
spam server is just an hour or two (not worth registering). This is why so
many Amazon EC2 IPs are banned. They are so easy to spin up and spam, then
terminate.

The spammers can use "clean" websites as relays to send spam, and move on to a
new one, leaving the site owner to deal with the consequences. Likewise, they
can send out spam using hacked individual accounts. The advantage here is that
people are more likely to open an email from someone on their contact list,
and these emails are often whitelisted.

------
evo_9
Real hackers don't steal passwords to begin with. There is no end game.

