OK, it's great to be able to crack the crackers...
The Ars summary of the report seems strange (I've not read the whole pdf) in a couple ways:
They talk about percentages of private behavior getting scooped, but not about percentages or numbers of credit card or bank account users/passwords (which they indicate were the primary targets of the botnets).
And weirdly, Ars says, "Torpig controllers may have exploited these credentials for between $83,000 and $8.3 million during that time period..." Funny numbers. ?it just happens that the range is 8.3 x 104 to 8.3 x 106 ? Makes me wonder about overall accuracy of post/report.
Well, Torpig obtained credentials for 8310 accounts, so I'm guessing that's just a $10-1000 estimate of the loss per account. But from my experience, $1000 per compromised account seems quite a bit on the high side for credit card accounts (I have no idea about average loss for stolen brokerage accounts).
Edit: From the pdf
"A report by Symantec [37] indicated (loose) ranges of prices for common goods and, in particular, priced credit cards between $0.10-$25 and bank accounts from $10-$1,000. If these figures are accurate, in ten days of activity, the Torpig controllers may have profited anywhere between $83k and $8.3M."
As an aside, these amounts are a good reason you should you your credit card instead of your debit card.
The researchers noted, too, that nearly 40 percent of the credentials stolen by Torpig were from browser password managers, and not actual login sessions, and that the Torpig controllers may have exploited these credentials for between $83,000 and $8.3 million during that time period.
I am surprised that browser password managers are so insecure. This seems like a place that browsers could improve.
Why is it so hard to prosecute these people? At some point, the bots are going to have to phone home, and that's got to be discernible. I mean, just purposefully infect a machine, feed it some CC numbers and keep an eye on it. What's the problem?
The Ars summary of the report seems strange (I've not read the whole pdf) in a couple ways:
They talk about percentages of private behavior getting scooped, but not about percentages or numbers of credit card or bank account users/passwords (which they indicate were the primary targets of the botnets).
And weirdly, Ars says, "Torpig controllers may have exploited these credentials for between $83,000 and $8.3 million during that time period..." Funny numbers. ?it just happens that the range is 8.3 x 104 to 8.3 x 106 ? Makes me wonder about overall accuracy of post/report.