Purchasing lists according to market demographics is a very common occurrence these days, but now the same thing is true about remote desktop access to infected personal computers.
Cyber criminals are selling remote desktop access to infected computers by the unit based on several criteria, said researchers at RSA. These services come courtesy of the traditional shops that specialize in the selling of stolen credit card (CC) information.
“It is rather common that CC shop operators are also bot-herders (or people who have access to botnets), selling the stolen CC data collected by their Trojans. By adding the sale of Remote Desktop Protocol (RDP) access to his shop, the seller grants fraudsters the choice to exploit PCs they would otherwise have no way of tampering with,” the RSA researchers said.
The selling of RDP access credentials has occurred before, but usually in an unorganized fashion and not in specific volume quantities.
The new services allows fraudsters to filter their purchases by geographic location (country, region, city), the bandwidth available to the computer (download and upload separately), the RDP user’s level of access (admin or not), OS version and even hardware specs such as CPU and RAM.
One selection criterion that stands out from the rest is whether any poker clients are on the compromised computers.
This suggests some possible uses for the RDP access. On one hand, users who have poker clients installed are more likely to access online payment services or input credit card information into web forms.
On the other hand, the access can also take control over a poker client, start a game with another account controlled by the attacker, and transfer the money by losing it. Some poker clients even allow direct user to user transfers.
An RDP-controlled computer from a certain area can also initiate fraudulent transfers or open accounts with local financial services without arousing suspicion. According to RSA, the offers for RDP access vary between $1 and $2 per computer.