“Three or more years ago, botnet operators focused on stealing email and password credentials, which were useful to spammers,” said Gunter Ollmann, vice president of research for Damballa. “Now botnet controllers are building massive profiles on their users, including name, address, age, sex, financial worth, relationships, where they visit online, etc. They sell this information, where it ultimately finds its way into legitimate lead generation channels.”
Sites will buy the information stolen via botnets in bulk. The information may exchange hands for money several times. And eventually, a legitimate business may pay for the information for lead generation purposes, not realizing that it has been stolen. In some cases, a company might pay $20 -$30 for a qualified lead. Botnets can also play a role in auto-filling forms online that are used to compile lists for marketing purposes. The botnets already have all the personal information necessary to fill out the forms, and botnet operators can devise an automated process resulting in a sophisticated fraud scam that is difficult to detect and prosecute.