One of the most-viewed stories on this site is a blog post+graphic that I put together last year to illustrate the ways that bad guys can monetize hacked computers. But just as folks who don’t bank online or store sensitive data on their PCs often have trouble understanding why someone would want to hack into their systems, many people do not fully realize how much they have invested in their email accounts until those accounts are in the hands of cyber thieves.

This post aims to raise awareness about the street value of a hacked email account, as well as all of the people, personal data, and resources that are put at risk when users neglect to properly safeguard their inboxes.

Sign up with any service online, and it will almost certainly require you to supply an email address. In nearly all cases, the person who is in control of that address can reset the password of any associated services or accounts –merely by requesting a password reset email.

Your email account may be worth far more than you imagine.

How much are these associated accounts worth? There isn’t exactly a central exchange for hacked accounts in the cybercrime underground, but recent price lists posted by several miscreants who traffic in non-financial compromised accounts offer some insights.

One prominent credential seller in the underground peddles iTunes accounts for $8, and Fedex.com, Continental.com and United.com accounts for USD $6. Groupon.com accounts fetch $5, while $4 buys hacked credentials at registrar and hosting provider Godaddy.com, as well as wireless providers Att.com, Sprint.com, Verizonwireless.com, and Tmobile.com. Active accounts at Facebook and Twitter retail for just $2.50 apiece.

As I’ve noted in previous stories, some crime shops go even lower with their prices for hacked accounts, charging between $1 to $3 for active accounts at dell.com, overstock.com, walmart.com, tesco.com, bestbuy.com and target.com, to name just a few.

Even if your email isn’t tied to online merchants, it is probably connected to other accounts you care about. Hacked email accounts are not only used to blast junk messages: They are harvested for the email addresses of your contacts, who can then be inundated with malware spam and phishing attacks. Those same contacts may even receive a message claiming you are stranded, penniless in some foreign country and asking them to wire money somewhere.

If you’ve purchased software, it’s likely that the license key to that software title is stored somewhere in your messages. Do you use online or cloud file-storage services like Dropbox, Google Drive or Microsoft Skydrive to backup or store your pictures, files and music? The key to unlocking access to those files also lies in your inbox.

If your inbox was held for ransom, would you pay to get it back? If your Webmail account gets hacked and was used as the backup account to receive password reset emails for another Webmail account, guess what? Attackers can now seize both accounts.

If you have corresponded with your financial institution via email, chances are decent that your account will eventually be used in an impersonation attempt to siphon funds from your bank account.

Until recently, some of the Web’s largest providers of online services offered little security beyond a username and password. Increasingly, however, the larger providers have moved to enabling multi-factor authentication to help users avoid account compromises. Gmail.com, Hotmail/Live.com, and Yahoo.com all now offer multi-step authentication that users can and should use to further secure their accounts. Dropbox, Facebook and Twitter also offer additional account security options beyond merely encouraging users to pick strong passwords.

Of course, all of this additional security can be defeated if the bad guys gain control over your machine through malicious software. To keep your computer from being compromised, consider adopting some of the recommendations in my Tools for a Safer PC primer.

An explosion in malware targeting Android users is being fueled in part by a budding market for mobile malcode creation kits, as well as a brisk market for hijacked or fraudulent developer accounts at Google Play that can be used to disguise malware as legitimate apps for sale.

An Underweb ad for Perkele

I recently encountered an Android malware developer on a semi-private Underweb forum who was actively buying up verified developer accounts at Google Play for $100 apiece. Google charges just $25 for Android developers who wish to sell their applications through the Google Play marketplace, but it also requires the accounts to be approved and tied to a specific domain. The buyer in this case is offering $100 for sellers willing to part with an active, verified Play account that  is tied to a dedicated server.

Unsurprisingly, this particular entrepreneur also sells an Android SMS malware package that targets customers of Citibank, HSBC and ING, as well as 66 other financial institutions in Australia, France, India, Italy, Germany, New Zealand, Singapore, Spain, Switzerland and Turkey (the complete list is here). The targeted banks offer text messages as a form of multi-factor authentication, and this bot is designed to intercept all incoming SMS messages on infected Android phones.

This bot kit — dubbed “Perkele” by a malcoder who goes by the same nickname (‘perkele’ is a Finnish curse word for “devil” or “damn”) — does not appear to be terribly diabolical or sophisticated as modern mobile malware goes. Still, judging from the number and reputation of forum buyers who endorsed Perkele’s malware, it appears quite popular and to perform as advertised.

Perkele is designed to work in tandem with PC malware “Web injects,” malcode components that can modify bank Web sites as displayed in the victim’s browser. When the victim goes to log in to their bank account at their PC, the malware Web inject informs the victim that in order to complete the second, mobile authentication portion of the login process, the user will need to install a special security certificate on their phone. The victim is then prompted to enter their mobile number, and is sent an SMS or HTTP link to download the mobile malware.

Once the victim has installed the mobile “security” app and verified it with a special supplied code, the app sends an SMS back to the malware kit’s license holder. Perkele also supports the removal of the mobile bot via SMS. Customers can purchase a single-use application that targets one specific financial institution for $1,000; the malware author also sells a “universal kit” for $15,000, which appears to be an SMS malware builder that allows an unlimited number of builds targeting all supported banks.

Of course, there are far more sophisticated mobile malware threats in circulation than anything Perkele could help dream up. Many variants of the cross-platform ZeuS-in-the-Mobile or Zitmo malware have emerged, but they are designed to work in tandem with a specific PC malware strain (ZeuS). What makes Perkele interesting is that is it can essentially be loaded as an add-on by virtually any financial malware family that supports Web injects.

Other recent mobile malware samples identified by Russian security firm Kaspersky make Perkele look like a child’s plaything. In particular, the company identified a new Android bot that masquerades as a “cleaner” app meant to free memory for Google’s operating system but which actually wreaks havoc on your smartphone in the background and on Microsoft’s operating system when it’s connected to a PC. Some of the features of this malware include the ability to turn on the microphone on the victim’s PC, enable Wi-Fi on the phone, and snarf all of the data from the phone’s memory card.

Say what you will about Apple‘s “closed” or “vetted” iTunes store for iPhone apps, but it seems to do a comparatively stupendous job of keeping out malicious apps.  Last year, malware on smartphones increased more than 780 percent over 2011, according to a Kaspersky report released last month. The company found that 99 percent of the mobile malware targeted Android devices. During 2011, an average of 800 new types of malicious programs were discovered every month, and this figure rose in 2012 to 6,300 programs. The largest category of mobile malware last year was SMS trojans that hid in fake apps and links, and could drain bank accounts.

Fortunately, a modicum of common sense and impulse control can keep most Android users out of trouble. Take a moment to read and comprehend an app’s permissions before you install it. Also, make sure you download apps that are scanned through Bouncer (Google’s internal malware scanner). Finally, do a bit of due diligence before installing an app: Would you randomly grab some Windows program and install it without learning something about its reputation, how long it had been around, etc? Hopefully, no. Treat your phone with the same respect, or it may one day soon no longer belong to you.

The future of a one-of-a-kind website enabling the online sale of pre-owned digital-music files is in the hands of a federal judge.

ReDigi, which opened in October, provides account holders with a platform to buy and sell used MP3s that were purchased lawfully through iTunes. The platform’s technology does not support other music.

Among other points, the case weighs the so-called first-sale doctrine, the legal theory that people in lawful possession of copyright material have the right to sell it.

A federal judge sided with that principle in 2008, when it debunked UMG Recordings’ claim that it retained perpetual ownership of promotional CDs it releases before an album’s debut. Last year, however, a different court ruled against now-defunct online service Zediva, which streamed movies to customers via DVDs that Zediva had purchased.

In the ReDigi case, Capitol Records sued the Massachusetts-based startup last month in New York federal court. Claiming ReDigi was liable for contributing to copyright infringement, the label is demanding U.S. District Judge Richard Sullivan immediately order ReDigi to remove Capitol-owned material, and to also award damages of up to $150,000 per track against the startup.

A ruling could come any day.

Larry Rudolph, the 15-employee company’s chief technology officer, seemed confident of the outcome.

“We let others sit around biting their nails,” he said in an e-mail.

Capitol appears equally as confident. It told Judge Sullivan that ReDigi is not the “equivalent of a used record store,” as ReDigi claims.

“ReDigi is actually a clearinghouse for copyright infringement and a business model built on widespread, unauthorized copying of sound recordings owned by plaintiff and others. Plaintiff brings this lawsuit to halt defendant’s ongoing infringement of plaintiff’s copyrighted works and to recover damages for the harm caused by defendant’s activities,”(.pdf) Capitol attorney Richard Mandel wrote.

ReDigi explained to Sullivan in court papers that its undisclosed number of account holders have a right to upload their purchased iTunes files into ReDigi’s cloud. And when a file is sold to another ReDigi account holder, no copy is made. What’s more, because of ReDigi’s technology, the original uploaded file that is sold cannot be accessed by the seller any more through ReDigi or via the seller’s iTunes account.

“ReDigi’s structure ensures that no copies of an Eligible File are made when one ReDigi user sells an Eligible File stored in the user’s Cloud Locker to another ReDigi user through the ReDigi Marketplace,” its attorney, Ray Beckerman, wrote in a court filing. (.pdf)  ”When such a file is purchased by another user, the file pointer associating the Eligible File with the seller’s Cloud Locker is modified to associate the file with the purchaser’s Cloud Locker. In such a transaction only the pointer is changed; the Eligible File remains in the same location in the ReDigi Cloud and is not copied.”

Beckerman, in a telephone interview, said ReDigi does everything it can to block the unauthorized duplication of files in the ReDigi marketplace. Beckerman added that ReDigi’s technology cannot stop customers from file sharing or copying iTunes music purchases before they had uploaded them to the service.

“You can’t stop the world from committing copyright infringement,” he said. “But it’s impossible to infringe through ReDigi.”

Prices for songs vary on ReDigi, with some files having asking prices as high as 87 cents. The company, which earns up to 15 percent per sale, also offers cloud-storage music streaming.

Apple released iTunes 10.5 today to fix 79 vulnerabilities for Windows users and introduce support for iCloud, wireless syncing and iOS 5 compatibility.

Massachusetts Attorney General Martha Coakley stated this week that her office will begin an investigation targeting Apple Computers. She is looking into whether Apple is in compliance with her state’s data breach notification laws related to fraud occurring on the iTunes store. Read more…

In the past we’ve seen iTunes gift card scams spread via Facebook, and fake iTunes Gift Card certificates containing malware spammed out to email inboxes, but today the thing to look out for is iTunes Gift Card spam on Twitter.

Here are some typical messages:

i have got,get yrs free iTunes Gift Card giveaway today [LINK]

wow,iTunes Gift Card got just today free lol [LINK]

awesome lol,today got iTunes Gift Card [LINK]

Your Chance to choose Your Best iTunes Gift Card [LINK]

Find out how to get a iTunes Gift Card! [LINK]

All of the Twitter accounts I’ve seen sending out these messages, have a profile picture of a young woman (sometimes wearing skimpy clothes or a bikini – one has to wonder where they’re going to stash their iPod).

And, on closer examination, it appears that these Twitter users have been created purely for the purposes of spamming out these tweets, interspersed with the occasional random quote or saying.

So, what happens if you click on the link? Well, you visit a website which firstly attempts to work out where in the world you are. I’m writing this from the UK, and it decided to relay my web browser to a dating website for men who want to meet young Russian women.

No sign of any free iTunes gift cards there, you’ll notice. Clearly the spammers are just using the lure of a free iTunes gift card to entice unsuspecting Twitter users into visiting their sites.

if you click on a link offering you a free iTunes Gift Card and end up with a Russian bride, you’re definitely doing something wrong.

It’s unlikely you’re in the market for a Russian bride, but even if you are – I wouldn’t recommend clicking on the links. They could just as easily take you to a webpage containing malware, or a site which attempts to phish your passwords from you.

Instead, report any users who you see spewing out messages like this as spammers. That means they won’t be able to bother you in future, and Twitter will investigate whether their account should be deleted.

Of course, it’s easy to create a brand new account on Twitter – so the spam problem on Twitter is unlikely to disappear anytime soon.

If you want to be kept up-to-date on the latest security threats on Twitter and elsewhere on the net, follow me on Twitter.

Follow @gcluley
Twitter spammers entice clicks with free iTunes gift cards

Hat-tip: Thanks to Naked Security reader @Chasapple for first making me aware of this spam campaign.