Network News

X My Profile
View More Activity

The Scrap Value of a Hacked PC

Computer users often dismiss Internet security best practices because they find them inconvenient, or because they think the rules don't apply to them. Many cling to the misguided belief that because they don't bank or shop online, that bad guys won't target them. The next time you hear this claim, please refer the misguided person to this blog post, which attempts to examine some of the more common -- yet often overlooked -- ways that cyber crooks can put your PC to criminal use.


The graphic above (click it for a larger version) shows the different reasons criminals may want access to your system. I've explained each category in more detail below:

Illicit Web Hosting

Cyber criminals commonly use hacked PCs as a host for a variety of dodgy Web hosting schemes, including:

- Spam Web sites

- Phishing Web sites

- Malware download sites

- "Warez" servers, or hosts for pirated software and movies.

- Child pornography servers

Zombie Grunt Work

Infected PCs also frequently are turned into zombies designed to carry out all sorts of monotonous, repetitive tasks for cyber crooks, such as:

- Relaying junk e-mail

- Participating in so-called denial-of-service attacks designed to extort money from Web sites by pelting them with massive amounts of bogus Web traffic if they refuse to pay protection money;

- Engaging in "click fraud," which uses zombies to gin up fake mouse clicks for networks of phony Web sites that siphon money from advertisers.

- Serving as a proxy through which bad guys route their Web traffic.

- Providing computational power that criminals use to help solve CAPTCHA challenges, the squiggly lines of numbers and letters many free Web mail services require you to solve - designed to tell humans apart from zombies.

E-Mail/Webmail Attacks

An infected PC potentially has great value to spammers and attackers beyond simply acting as a relay for junk e-mail. For example, compromised systems typically are harvested for e-mail addresses that will be sold and used in future phishing and spam attacks.

An attacker doesn't need to compromise an Internet user's computer to wreak havoc with their identity and online life. A compromised Webmail account, for example, can yield a bounty of useful information because many people often will use the same e-mail address and password for multiple services. (Even if the victim uses different passwords at each service, usually those passwords can be reset as long as the attacker has access to the victim's inbox).

Hacked Webmail accounts also frequently are used to scam the victim's friends. Sometimes, crooks will use a hijacked Webmail account to blast out tailored spam to all of the victim's contacts, usually recommending some no-name, bargain basement e-commerce site that is set up merely to steal credit and debit card information.

Another long-running scam involving hacked Webmail accounts goes like this: Scammers blast out a note to all of the victim's contacts, claiming that the victim has become stranded in some foreign country and desperately needs friends and family to wire money.

Account Credentials

Any stored credentials -- particularly user names and passwords for online services - are fair game on hacked PCs. Stolen eBay credentials often are used to abuse the victim's good reputation and used to list non-existent or stolen items for auction. Compromised Paypal records can aid in these bogus auctions as well, or drained of its funds. Credentials for voice-over-IP or Internet-based telephone services like Skype also are a hot item on underground cyber criminal forums, because they can be used to mask the caller's location and aid in a variety of scams.

Credentials that victims use to administer Web sites -- even social networking site Web pages -- can be of huge value to cyber crooks. A number of automated threats will scrape credentials that victims use to transfer files to and from any personal or professional Web sites they may administer. Stolen file transfer protocol (FTP) credentials, for example, give attackers control over the victim's site, which is often then use to host malicious programs or other illicit content that helps further a variety of online criminal schemes.

Finally, credentials that allow access to the network of the victim's employer or company can be of great interest to digital thieves. In many corporate environments, employees cannot log in remotely without having a special, password protected encryption certificate saved on their computer. Some families of malicious software -- including the Sinowal or Torpig Trojan -- will try to steal these certs from infected systems.

Virtual Goods

Virtual goods, those that have seemingly intangible value, are among the most sought-after commodities in the general hacking scene. Entire families of malware exist to harvest license keys for thousands of computer games and steal credentials that gain access to online games in which a player's worth is determined largely by the amount of virtual goods his or her character has amassed. There is a mature, multi-billion dollar market for these accounts, and the goods themselves, at least some of which is stolen from compromised PCs.

Financial Credentials

When casual Internet users think about the value of their PC to cyber crooks, they typically think stolen credit card numbers and online banking passwords. But as we have seen, those credentials are but one potential area of interest for attackers.

This is by no means an exhaustive list. If I've omitted any major categories, please drop a note in the comment section below. If it's not already covered by one of the categories -- and if it fits -- I'll add it to the chart above.

By Brian Krebs  |  May 26, 2009; 2:12 PM ET
Categories:  Fraud , From the Bunker , Latest Warnings  | Tags: hacked pc chart, scrap value of your pc  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Apple Slow To Fix Java Flaws
Next: Microsoft Update Quietly Installs Firefox Extension


If your computer is hacked, it's not yours anymore. It's just like your home. If you come home, and find someone else moved in and is squatting in your living space, it doesn't matter if they found your credit cards. Now you have to work around them and they're eating your food, peeking into your private matters, running up your phone bill, misusing your name, and pushing you out of your house.

Posted by: southVAHmptn | May 26, 2009 3:21 PM | Report abuse

Excellent article and GREAT graphic. They both should be included with every PC sold.

What defense will one offer when child porn is discovered on their PC? I didn't use a security suite because I'm too cheap or too lazy, your honor? Anti-child porn laws are very, very strict, and very, very, very draconian. If your Sgt. Schultz defense (I saw nothing! I know nothing!) doesn't work, well, as a public defender I know used to tell his clients when the resisted a plea bargain, you'll go in a tight end and come out a wide receiver.

Posted by: Garak | May 26, 2009 3:37 PM | Report abuse

You would do a great service to readers to tell them what behavior/symptoms, if any, they might look for on their PC when these things happen. Lights blinking indicating in/out traffic when they are not using the PC, bounced e-mails they didn't send etc. I've asked this question via e-mail and received no response. If there's no way to tell, it would be good to know that.

Posted by: tojo45 | May 26, 2009 3:52 PM | Report abuse

PS, there's a typo in the graphic "Ebay/aypal"

Posted by: tojo45 | May 26, 2009 3:53 PM | Report abuse

That type has been fixed. Thanks.

Posted by: tojo45 | May 26, 2009 3:54 PM | Report abuse

@Tojo45 -- There really is no good way to tell if your machine has been compromised by a lot of today's more prevalent threats. In some cases, if you get some installer program that happens to dump a kitchen sink full of malware on your system that includes something that tries to serve you with pop-up ads or hijacks your search results, you probably will notice something's wrong pretty quickly. Many of today's stealthier attacks, however -- particularly the bot programs -- leave little in the way of traces that are obvious to the untrained eye. And blinking lights on your modem don't tell you much, I'm afraid.

Yes, that's a typo in the graphic. I will fix and re-upload. Thanks for the heads up.

Posted by: BTKrebs | May 26, 2009 3:58 PM | Report abuse

Anyone running Windows volutarily is asking to be hacked. Do yourself a favor- install Linux on a spare machine and try it out. It's friendly, and free! Check out or

Posted by: hairguy01 | May 26, 2009 6:07 PM | Report abuse


Changing your operating system isn't the answer. You don't get security through obscurity. For most people, what you propose would add a great deal of complexity (different ecosystem, learning curve of different system, different hardware/software compatibility, etc.)

You would be better served learning how to properly secure and operate a Windows based system. Start with the list below:
1. Use a non-admin (limited user) account for daily use
2. Use a firewall (preferably a hardware firewall at the perimeter and a software firewall on each computer)
3. Keep the system fully patched (includes ALL software)
4. Use Antivirus/Antispyware software that is configured to update itself DAILY
5. Practice safe computing (ex. use caution with downloaded files and e-mail attachments, don't click on links in e-mail, browse wisely, etc.)
6. Routinely (at least monthly) backup your data to external media (CD-R, DVD-R, external hard drive, etc.)
7. Install ONLY required software (reduces system attack surface and minimizes patching). AVOID file sharing software! (too risky to system)
8. Optional (but highly recommended):
a.Use a blocking HOSTS file (
b.Enable Windows Automatic Updates (Auto download and install)
c. Use an e-mail client instead of webmail, configure it to “Read all e-mail in plain text”.

Posted by: xAdmin | May 26, 2009 11:10 PM | Report abuse

I should've clarified that most of the list is NOT inclusive to Windows systems. It is important to apply these principles regardless of operating system in use.

Also, as Brian's post points out, the computer user plays a major role in computer security.

Posted by: xAdmin | May 26, 2009 11:26 PM | Report abuse

Limited user [non-admin] account.

OK, under XP, first I must create a limited [?] user admin account.

Then, I can create the limited user non-admin account, which in my version of XP Pro brings up Nemesis 2.0.

In Nemesis 2.0, my US-English Keyboard suddenly starts typing " for @, which looks like a British - English keyboard.

But I can't change anything as a limited user, so I go to my Admin account and check, Date-Time, Languages, where I previously struck English -Davoric [?] whatever, which when a unknown hot key is entered, probably by accident, all characters typed thereafter change and junk only appears. I also got rid of the British English at the same time.

But nemesis 2.0 doesn't comprehend or doesn't comply.

When I Google Nemesis 2.0 various options appear, one of which claims that Nemesis 4.o is available for download, BUT at the bottom of the page, I get my choice of porno flicks or pictures also.

So, how do we get a meaningful limited user Non-Admin account in XP pro that works ???

Posted by: | May 27, 2009 3:44 AM | Report abuse

Brian, I'd be interested in your thoughts concerning SandboxIE as an added level of security.

Posted by: PostSubscriber | May 27, 2009 7:23 AM | Report abuse

We don't design the OS or write the software and applications we use.

However, it is our job to be aware that what we use is not safe from the dangers of the Internet and to take the necessary measures to prevent being hacked.

The average Joe is just not educated enough on network security to make the right decisions.

Posted by: CP3O | May 27, 2009 7:26 PM | Report abuse

Great article. On a similar theme there are some informative and engaging videos available at

Through the use of basic wireless internet capabilities, one H*Commerce expert is driven through rush-hour traffic, accessing PDA’s, cell phones and laptops in the surrounding cars, pulling information from voicemail passwords to computer files.

Posted by: web32 | May 28, 2009 2:02 AM | Report abuse

From's post:

" ... But I can't change anything as a limited user, so I go to my Admin account and check, Date-Time, Languages, where I previously struck English -Davoric [?] whatever, which when a unknown hot key is entered, probably by accident, all characters typed thereafter change and junk only appears. I also got rid of the British English at the same time ...."

"English-Davoric" is probably "English-Dvorak", "Dvorak" as in the Dvorak keyboard,

one reason why you might be having these problems (your hardware is set up for a "QWERTY" keyboard).

Posted by: hogsmile | May 28, 2009 3:59 AM | Report abuse

RE the "Hacked PC" map:

Good to see somebody using mindmaps from Mindjet's Mindmanager program:

I use it, and find it invaluable for explaining complex ideas or thinking through complex relationships and confounding "what-if's?"

Posted by: hogsmile | May 28, 2009 4:05 AM | Report abuse

It'd be nice if MS patched against malware, instead of just patching the holes that allow infection.

I guess too that spam, ID theft & malware just don't draw the same star power as going after people sharing music.

Posted by: timscanlon | May 28, 2009 5:36 AM | Report abuse

Nonsense, what is being referred to here is a Cracked PC. A hacked PC is any machine that has been modified. A machine that has been p0ned is referred to as Cracked.

Posted by: sleathwood | May 28, 2009 8:35 AM | Report abuse

It would also be nice if attempts to educate the average non-security literate end user didn't end up as the all too familar/tiresome (delete as applicable) linux/Mac/Windows fanboy argument. Technical discussions are great in the right forum but a turn-off for the people we really need to educate on topics like this.

Brian, one thing you seem to have missed is gambling - I've regularly seen home desktops covered in gambling ads and toolbars. Maybe not malicious but a temptation to debt.

Posted by: Chuckling | May 28, 2009 8:36 AM | Report abuse

timscanlon - the thing that the "anything but Microsoft" crowd never admits is that MS is hacked because almost everyone uses it. If Apple and Linux ever become widely used, then the hackers will concentrate on those operating systems and those users will have the same problems MS users have now.

Hacking is a business and they hack MS because it provides the most bang for the buck. Apple and Linux aren't more secure, they are less targeted.

Posted by: xconservative | May 28, 2009 8:48 AM | Report abuse

um, maybe i perused this article wrong, but i didn't see what the scrap value of a hacked pc actually is. I was hoping to sell my old laptop parts and want to know how much i could pull in.

Posted by: stevehoeschele | May 28, 2009 9:48 AM | Report abuse

"Apple and Linux aren't more secure, they are less targeted."

This is completely wrong -- either you are misinformed or just lying. Unix-based systems such as OSX and Linux *are* inherently more secure than Windows. As an example, everything Brian talks about with setting up limited user accounts has been a central feature of Unix since the 1970s, while it still doesn't work quite right under Windows.

Obviously they're not perfect, nothing is, but denying that they are better when it comes to security is a major symptom of Microsoft shilling.

Posted by: cocyach | May 28, 2009 10:23 AM | Report abuse

Anyone running Windows voluntarily is asking to be hacked. Do yourself a favor- install Linux on a spare machine and try it out. It's friendly, and free! Check out or

* I use Ubuntu 8.04 (If you are really good with Windows you'll get 80% of Ubuntu under your bely in one day) - the Hardy Heron - released in April 2008. Ubuntu is an entirely open source operating system built around the Linux kernel. The Ubuntu community is built around the ideals enshrined in the Ubuntu Philosophy: that software should be available free of charge, that software tools should be usable by people in their local language and despite any disabilities, and that people should have the freedom to customize and alter their software in whatever way they see fit. For those reasons:
Ubuntu will always be free of charge, and there is no extra fee for the "enterprise edition", we make our very best work available to everyone on the same Free terms. Ubuntu includes the very best in translations and accessibility infrastructure that the free software community has to offer, to make Ubuntu usable for as many people as possible. Ubuntu is released regularly and predictably; a new release is made every six months. You can use the current stable release or the current development release. Each release is supported for at least 18 months. Ubuntu is entirely committed to the principles of open source software development; we encourage people to use open source software, improve it and pass it on.

Posted by: vze4k4bh | May 28, 2009 10:51 AM | Report abuse

@ cocyach

Regarding the inherent security strengths of linux/osx vs windows, you should really look up the talks done at the pwn2own hacking competitions this year. They talk about how easy it is to hack OSX (Within minutes) and linux (You can actually make a linux virus that is distro agnostic if you take a few minutes). While Unix is has the security strengths that you mention, the key to a successful linux virus is to not attack the kernel, you attack instead the desktop environment (gnome/kde), and you can make it virtually invisible. Not exactly a shot against linux, but with these facts, it discredits what you are arguing. Please do your research in advance before applying anecdotal evidence.

That being said, I like linux and OSX both, they are excellent operating systems, but for most users, to switch from windows to one of these systems (even ubuntu which takes pains to ensure even foolish people can use it) is not worth the effort/stress. Its not just learning the environment, it is also installing, troubleshooting errors in the system, and general maintenance (Updates are a breeze, I know). For the average user, linux just isn't quite there yet (Not from an OS standpoint, but from a documentation standpoint it needs some work, the wiki/forums are good... if you know what you are looking for).

On the OSX side, adoption will never take off because of Apples strategy... the whole fully proprietary route kinda shoots them in the foot in some ways, not so much so in others.

Posted by: idibidu | May 28, 2009 11:45 AM | Report abuse

If malware or a virus installs itself on my XP when I'm logged in as an administrator, will it still be active if I'm logged in as a limited user?

Posted by: swmuva | May 28, 2009 1:57 PM | Report abuse

Congratulations. This is the single most enlightening article on Internet security I've read in a decade.

The IT security world fails, because John Q. Public is rarely educated. Only lectured. The public ignores a lecture... especially from an IT staffer with no friends...

Public ignorance is the main tool of the online criminal.

Your article should be required reading in school at every grade above 3rd to eliminate the criminal's usual ease of operation.

Thank you for knowing the difference between educating and lecturing.

Posted by: onestring | May 28, 2009 2:11 PM | Report abuse

Remember how Americans were advised to buy duct tape to protect themselves from terrorists and you can see the government approach to computer security.

Do nothing to hinder free enterprise.

No effective government efforts to protect computers.

Americans buy a computer and the manufacturer puts countless programs on the system and there is wonder why ordinary Americans have no idea about computer security.

Most Americans never turn off their systems because manufacturers have made it not practical to turn off their systems.

Spam could be done away with by forcing companies to have email recipients opt in but no the government requires only companies provide the option to opt out, thus providing a great way to hack in. Americans can not deal with spam since the government refuses to make it an offense to send unsolicited email by companies. Have to protect the interests of those businesses that want to sell something.

Computer security is left to the special interests of private companies and it is no wonder there is such a large problem in computer security.

Posted by: bsallamack | May 28, 2009 3:00 PM | Report abuse

idibidu, you said switching to Mac "is not worth the effort/stress." Actually NOT switching to a Mac and having to frequently deal with a plethora of Windows issues brings much more effort and stress. So glad I took the plunge last year. I've watched my productivity increase and my annoyance level decrease noticeably.

Posted by: nonagon | May 28, 2009 4:15 PM | Report abuse

You're just spreading FUD there, nonagon. I've been using Windows in its various incarnations for over 15 years, and I rarely encounter any issues at all. All you get from a Mac is a bigger credit card bill.

Posted by: gamz247 | May 28, 2009 5:43 PM | Report abuse

xadmin writes,

"1. Use a non-admin (limited user) account for daily use"... [seven more steps follow]

@xadmin, you must be joking- what miniscule fraction of users even understand your Step 1? Notice that the poster immediately after your notes asked for help with it, never mind the rest of your list. And why should users have to pay again, this time for anti-virus software to protect the operating system? Are they even capable of making even a moderately-safe o/s? I doubt it. Users seems to agree- M$'s market share is slipping and layoffs in Redmond have begun. With fewer people they stand a risk of shipping even worse software and thus begins their death spiral. Don't advise people how to make the best of a sinking ship, help them abandon it.

Posted by: hairguy01 | May 28, 2009 6:16 PM | Report abuse

"Spam could be done away with by forcing companies to have email recipients opt in but no the government requires only companies provide the option to opt out, thus providing a great way to hack in. Americans can not deal with spam since the government refuses to make it an offense to send unsolicited email by companies."

I'm with you except for this point. There's no way to "force" email recipients to do anything. Many such schemes have been tried and proposed, but the internet is an international collection of networks, so this isn't practical or even possible.

But I agree with the gist of what you're saying.

Posted by: Ombudsman1 | May 28, 2009 8:33 PM | Report abuse

Posted by: swmuva

"If malware or a virus installs itself on my XP when I'm logged in as an administrator, will it still be active if I'm logged in as a limited user?"

Depends on how the malware was designed. For all practical purposes, it will most likely still be active.

A limited user account is primarily a preventative measure in keeping malware from getting installed in the first place should it get to your system.

With a limited user account, the most malware can do is affect that particular user profile and possibly any data that user may have access to (thus the reason for #6 - backup your data).

With the administrator account, malware has full rights to do anything on your system. Not a wise risk to take in today's computing environment.

In fact, one could argue that running as a limited user without Antivirus software is more effective than running as Administrator with Antivirus software. So, if you add the other layers of protection I outlined above, it makes your system quite difficult to be compromised by malware.

So effective, I've NEVER been compromised in any way using Windows based systems for over 12+ years. The only problems I've experienced were of my own doing.

Posted by: xAdmin | May 28, 2009 10:15 PM | Report abuse


Nice fanboyism! ;P

"what miniscule fraction of users even understand your Step 1?"

Enough to Google: "limited user", and take it from there.

"And why should users have to pay again, this time for anti-virus software to protect the operating system?"

It's called a layered defense (defense in depth). Should one layer be compromised, another is there to help. It's like adding an alarm system to your house. It's another layer of protection besides the door and window locks (like a limited user account).

Posted by: xAdmin | May 28, 2009 10:36 PM | Report abuse

What do the contributing mavens of this discussion think about using the "Processes" tab of the Windows Task Manager as a diagnostic for 'under the radar' infections?

Posted by: featheredge99 | May 29, 2009 2:15 AM | Report abuse

@featheredge -- If the system is compromised, task manager may lie to you. Even under normal circumstances, task manager leaves a lot to be desired and a lot of guesswork. If you're serious about knowing what processes are running, check out Process Explorer.

Posted by: BTKrebs | May 29, 2009 7:40 AM | Report abuse

This is a no-win for consumers. Either they risk all the things you describe, or they use really bad security software that cripples their systems. (I haven't seen any security software that works without imposing a huge burden on the machine) Both are equally opaque to non-expert users. And why should people have to be experts? The rational choice for many people is to risk possible attack rather than deal with the pain of security software all the time. As long as that remains a plausible trade-off, then nothing will change.

Posted by: a_trotskyite | May 29, 2009 12:57 PM | Report abuse

Hey Brian, great post. This article has been shared around our office a few times already. Our data and observations confirm a lot of what you’ve outlined. We’ve found some very strong connections between click fraud and many of the other types of malicious activity you’ve identified in your piece. For example, machines that have been observed as sending out extremely high volumes of spam and/or are members of known botnets are often the same machines that we catch committing click fraud across the Anchor Intelligence network.

You should see what some of the hacked machines in the developing nations are being used for! Imagine a network of PCs in an internet café in Vietnam still running Windows 98 with vulnerabilities just waiting to be exploited.

Posted by: simrichard | May 29, 2009 1:19 PM | Report abuse

I wish someone would make it very clear to Apple users that they too can get viruses and hacked. The latest Apple vs. PC ads make it sound like they will never have to worry about anything bad ever happening to their computers.

And on a side note don't forget to backup your data in case you have to wipe your hard drive and reload your OS.

Posted by: carmichaelandrew | May 29, 2009 2:53 PM | Report abuse

xAdmin I really have to call you out on this one. Some of the entries on your list only apply to Windows systems, for instance a Linux system won't have a HOSTS issue and there isn't a threat from wide-scale viruses that would warrant an anti-virus program. Granted, specific attacks can be launched and DNS caches poisoned but that's not the same thing. Your number one suggestion is something that Linux does natively - unless you're running Root (which is loudly discouraged to even the newest user) then every user is always running on a non-admin account. When you have to do something that requires those permissions, you supply your credentials which are then taken away after the task is done. This alone makes Linux much more secure in general.

I don't agree with the 'protection through obscurity' notion although it is hard to argue that fact as Linux is actually pretty obscure. I would at least agree that the spirit of free software makes it a less attractive place for those people looking to get into your wallet.

I write software for Windows all day long, that's what pays the bills. When I get home I'm all Linux, baby.

Posted by: warmotor | May 29, 2009 4:18 PM | Report abuse

A hacked PC can also be exploited via its modem. The modem can be used to dial
into expensive call services, to send junk faxes, to send prerecoded advertising messages, route VOIP calls to POTS phone numbers and many other uses. Are there any known bot clients that do this kind of thing?

Posted by: ninepin | May 29, 2009 6:18 PM | Report abuse

You can't begin to imagine how serious this problem is. My son was convicted of possessing child porn after his ex-wife had a child pornographer friend hack into his computer and plant it. It really didn't matter that the sites had never been open, viewed, and were in hidden, zipped files. Once you show a jury a couple hours of the most disgusting filth you can imagine, they would convict Jesus Christ. He is now serving 30 years in Federal Prison.

Posted by: shicks2 | June 1, 2009 7:00 AM | Report abuse

@ninepin -- ah. I forgot about that. yes, those are called "dialers" or "porn dialers." they used to be a lot more common to find on infected/hacked PCs, because a lot more people used telephone modems to get online. but they are definitely still around.

Posted by: BTKrebs | June 1, 2009 8:27 AM | Report abuse

A reader sent this via email:


This article rocks, I'm sending it to all of my clients around the
world. The image is the best. However, there is one key use I could
not find.

Hacked PC being used to hack other computers

Not sure if I missed that one or if you consider it a different topic.


Posted by: BTKrebs | June 2, 2009 8:29 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company