Cyber criminals are selling bulk log-in credentials for social sites, such as Facebook and Twitter, and web server management software cPanel, according to security researchers.
"These details are not on sale so people can cause mischief but for real financial gain," Oren Kedem, product marketing director at Trusteer, told Computing.
The criminals boast a haul of 80GB of credentials that they are advertising at wholesale prices, or at $30 a log-in when divided into network- and country-specific batches with corresponding personal email addresses.
A blog by Trusteer's chief technical officer Amit Klein reports two botnet operators advertising a "factory outlet" of social network login credentials, and another offering to sell logins and URLs that would allow a fraudster to take control of certain websites. Specifically, the advertiser is offering cPanel credentials.
Control of the website admin software would enable a fraudster to inject malware into the site that could later harvest financial details, said Kedem.
Social network log-ins could be used in social engineering attacks to lure friends of the hacked to fraudulent sites where they would be duped into downloading malware that could, again, perpetrate financial theft, he added.
Facebook officials told Trusteer that the social network actively detects known malware on users' devices and validates every login to the site to check for malicious activity.
Meanwhile security firm GFI published its latest monthly cyber attack report, showing an increasingly sophisticated landscape of social-engineering-based scams.
Gamers looking for a pirated release of Pro Evolution Soccer 2012 were targeted with rootkit malware, while Halo lovers were tempted to sign up for a bogus beta programme.
Tumblr users were baited with free Southwest Airlines tickets in exchange for filling in a pointless survey, and small business owners were attacked with fraudulent customer complaint notices from the Better Business Bureau which led to malware sites.