May 2, 2010 | The New York Times
During several weeks in February, iDefense tracked an effort to sell log-in data for 1.5 million Facebook accounts on several online criminal marketplaces, including one called Carder.su.
That hacker, who used the screen name “kirllos” and appears to deal only in Facebook accounts, offered to sell bundles of 1,000 accounts with 10 or fewer friends for $25 and with more than 10 friends for $45, says Rick Howard, iDefense’s director of cyber intelligence.
The case points to a significant expansion in the illicit market for social networking accounts from Eastern Europe to the United States, he said.
Criminals steal log-in data for Facebook accounts, typically with “phishing” techniques that tricks users into disclosing their passwords or with malware that logs keystrokes. They then use the accounts to send spam, distribute malicious programs and run identity and other fraud.
Facebook says it believes that the hacker’s claims to control large numbers of Facebook accounts are bogus. The company attempted to purchase accounts as part of its investigation into the incident, said a spokesman, Barry Schnitt. However, “the hacker was unable to produce anything for our buyer,” he said.