The legitimacy of the accounts haven't been confirmed, but Kirllos seems to have sold 700,000 accounts already. While it isn't anything special to sell social-networking credentials online, targeting big sites like Facebook and MySpace is only a recent trend. Randy Abrams, director of technical education at security company Eset, believes that the viral capabilities of modern malware are well-suited to big sites like facebook, where "people will follow it because they believe it was a friend that told them to go to this link." Once the password-stealing malware goes viral, big sites like Facebook are prime breeding grounds for credential lifting.Â
Kirllos is selling the accounts at a very deep discount compared to similar transactions. In Symantec's Internet Security Threat Report, email credentials sell at prices between $1 and $20, low quality bank information can go for $15 (high quality can go for $850), and Kirllos wants $0.025 per account. That's one reason why he's selling such a high volume. However, that doesn't mean it's a scam. With such a large volume of accounts, Kirllos can afford to undercut the competition and still come out rich.