Segura's research adds a layer of understanding to a phenomenon that's hardly new - criminals have been swiping and selling credit card numbers for decades. But he took to his company's blog last week to issue a fresh warning for users to take steps to minimize their risk, including keeping anti-malware programs up to date to prevent keyloggers or other Trojans from installing themselves and snagging login credentials to bank accounts, Facebook, eBay or any number of other online services.

"It's a pretty widespread problem. It's nothing new per se," Segura said in an interview. "In terms of timing, more people are going to be making purchases around the holidays, so we thought it would be a good idea to remind people that particular malware, specifically keyloggers, are around these days."

"All of us make purchases online, and you'd be amazed how quickly it can be stolen," he added.

Many of the sites Segura analyzed - a microcosm of the overall online black market, to be sure - operate with a surprising degree of professionalism, incorporating many of the popular features that have made legitimate online shopping such a hassle-free experience, including customer support, fluid money movement, shopping carts and easy checkout.

Many of the sites even offer return guarantees. Segura explained that in this underground world of stolen personal and financial information, the sellers still compete with one another on the same factors that buyers look for in above-board retailers: reliability, price, service and reputation.

"It's a real ecommerce platform," Segura said. "A lot of it is being able to guarantee that what you have for selling is accurate and current. ... I think they're trying to make sure their customers are happy."

"As much as everybody - buyers and sellers - are criminal, they have a common interest."

The sites typically do a bulk business. One site Segura examined recently dumped upwards of 10,000 PayPal accounts onto its marketplace, for instance.

Pricing generally ranges from $1 to $4 per account, whether it's an eBay or PayPal credential or a credit card.

"It was a lot lower than I expected," Segura said. But then again, there is a high likelihood that most of the credentials for sale will not be valid by the time a buyer tries to use them. So while sellers actively seek out fresh stores of account information, the caveat emptor precept seems to imply for buyers that a great portion of any batch of credentials they purchase will be worthless, hence the low per-item price.

Similar to legitimate online payment services, buyers of stolen credentials will typically preload value onto an account, commonly using an e-money service called Liberty Reserve that Segura described as "loose" on verification.

Though many of the black-market sites are run out of countries with weak laws or slack enforcement against Internet crimes, others operate in nations with fairly advanced law enforcement regimes. But it is common for them to routinely shift their domain names, and some are kept on an invitation-only basis, where access is negotiated on underground forums.

Malwarebytes researchers routinely alert Internet hosts of these criminal sites, but Segura said that they often will not return calls and emails, preferring instead to turn a blind eye and keep a paying customer.

Some researchers, though not Segura, at least in this case, work actively with law enforcement officials to help bring down online criminal rings. But it's a game of whack-a-mole, especially with the identity marketplaces, which so often shut down one name only to resume operations under another.

In addition to maintaining up-to-date anti-malware software, Segura urges users to ensure they employ a different set of identity credentials for each online account.

About the Author
Kenneth Corbin is a freelance writer based in Washington, D.C. He has written on politics, technology and other subjects for more than four years, most recently as the Washington correspondent for InternetNews.com, covering Congress, the White House, the FCC and other regulatory affairs. He can be found on LinkedIn here .