The legitimacy of the accounts haven"t been confirmed, but Kirllos seems to have sold 700,000 accounts already. While it isn"t anything special to sell social-networking credentials online, targeting big sites like Facebook and MySpace is only a recent trend. Randy Abrams, director of technical education at security company Eset, believes that the viral capabilities of modern malware are well-suited to big sites like facebook, where "people will follow it because they believe it was a friend that told them to go to this link." Once the password-stealing malware goes viral, big sites like Facebook are prime breeding grounds for credential lifting.Â
Kirllos is selling the accounts at a very deep discount compared to similar transactions. In Symantec"s Internet Security Threat Report, email credentials sell at prices between $1 and $20, low quality bank information can go for $15 (high quality can go for $850), and Kirllos wants $0.025 per account. That"s one reason why he"s selling such a high volume. However, that doesn"t mean it"s a scam. With such a large volume of accounts, Kirllos can afford to undercut the competition and still come out rich.