{
	"id": "d959d176-7753-4c1a-9d7b-43e1fa70e404",
	"created_at": "2026-04-06T00:08:46.858194Z",
	"updated_at": "2026-04-10T13:12:15.945676Z",
	"deleted_at": null,
	"sha1_hash": "5e8139598f5f407225bc6a0498716dc6ec7e3e6c",
	"title": "SpyEye Botnet’s Bogus Billing Feature",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 111604,
	"plain_text": "SpyEye Botnet’s Bogus Billing Feature\r\nPublished: 2010-09-17 · Archived: 2026-04-05 22:44:04 UTC\r\nMiscreants who control large groupings of hacked PCs or “botnets” are always looking for ways to better\r\nmonetize their crime machines, and competition among rival bot developers is leading to devious innovations. The\r\nSpyEye botnet kit, for example, now not only allows botnet owners to automate the extraction of credit card and\r\nother financial data from infected systems, but it also can be configured to use those credentials to generate bogus\r\nsales at online stores set up by the botmaster.\r\nAs I noted in a post in April, SpyEye is a software package\r\nthat promises to make running a botnet a point-and-click exercise. A unique component of SpyEye is a feature\r\ncalled “billinghammer,” which automates the purchase of worthless or copycat software using credit card data\r\nstolen from victims of the botnet.\r\nThe SpyEye author explained this feature in detail on several hacking forums where his kit is sold, even including\r\na video that walks customers through the process of setting it up. Basically, the scam works like this: The\r\nbotmaster acquires some freeware utility or legitimate program, renames it, claims it as his own and places it up\r\nfor sale at one of several pre-selected software sales and distribution platforms, including ClickBank, FastSpring,\r\neSellerate, SetSystems, or Shareit. The botmaster then logs in to his SpyEye control panel (picture above), feeds it\r\na list of credit card numbers and corresponding cardholder data, after which SpyEye opens an Internet Explorer\r\nWindow and — at user-defined intervals — starts auto-filling the proper fields at the botmaster’s online store and\r\nmaking purchases.\r\nhttps://krebsonsecurity.com/2010/09/spyeye-botnets-bogus-billing-feature/\r\nPage 1 of 2\n\nThe billinghammer module also is set up to evade anti-fraud\r\ncontrols at the online software stores, by funneling each transaction through a SpyEye-infected system whose\r\nInternet address traces back to a geographic location that approximates the cardholder’s street addresss.\r\nIn the video that shows how to use this portion of the bot kit, it appears that SpyEye customers have the option\r\neither to make sales at their own stores, or to use some that are apparently set up by the author of the bot kit\r\nhimself.\r\nIn an e-mail to KrebsOnSecurity.com, FastSpring’s chief customer service officer Ken White said: “We\r\nunderstand what this system tries to do, and how the bad guys attempt to use it to convert stolen cards into cash.\r\nWe haven’t yet been exploited successfully and believe we have a good system in place to prevent it.”\r\nAll other software sales and distribution systems coded into the SpyEye bot kit are entities operated by Digital\r\nRiver, which did not respond to repeated requests for comment. It’s not clear how many — if any — SpyEye\r\ncustomers are using the billinghammer plug-in. But assuming that there are some scammers out there abusing\r\nthese services through SpyEye, it seems that it would be a great way to catch botmasters in the act. After all, the\r\ncheck or wire transfer for any bogus software sales has to be sent somewhere.\r\nSource: https://krebsonsecurity.com/2010/09/spyeye-botnets-bogus-billing-feature/\r\nhttps://krebsonsecurity.com/2010/09/spyeye-botnets-bogus-billing-feature/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://krebsonsecurity.com/2010/09/spyeye-botnets-bogus-billing-feature/"
	],
	"report_names": [
		"spyeye-botnets-bogus-billing-feature"
	],
	"threat_actors": [],
	"ts_created_at": 1775434126,
	"ts_updated_at": 1775826735,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5e8139598f5f407225bc6a0498716dc6ec7e3e6c.pdf",
		"text": "https://archive.orkl.eu/5e8139598f5f407225bc6a0498716dc6ec7e3e6c.txt",
		"img": "https://archive.orkl.eu/5e8139598f5f407225bc6a0498716dc6ec7e3e6c.jpg"
	}
}