Compromised PayPal accounts are a valuable commodity in the criminal underground, and crooks frequently trade them in shadowy online forums. But it wasn’t until recently that I finally encountered a proper Web site dedicated to selling hacked PayPal accounts.
Many of the PayPal accounts for sale at iProfit.su have a zero balance, but according to the proprietor of this shop these are all “verified.” PayPal “verifies” an account when a customer agrees to attach a bank account to it; PayPal then sends a micropayment the bank account, and asks the user the value of that mini deposit. A bonus feature: all the hacked PayPal profiles currently for sale at iProfit.su are advertised as having a credit card attached to them, which is another way PayPal accounts can be verified.
The creator of iProfit.su also advertises private, bulk sales of unverified PayPal accounts; currently he is selling these at $50 per 100 accounts – a bargain at only 50 cents apiece.
Accounts are sold with or without email access (indicated by the “email” heading in the screenshot above): Accounts that come with email access include the username and password of the victim’s email account that they used to register at PayPal, the site’s proprietor told me via instant message. The creator of iProfit.su told me the accounts for sale were stolen via phishing attacks, but the fact that accounts are being sold along with email access suggests that at least some of the accounts are being hijacked by password-stealing computer Trojans on account holders’ PCs.
It’s not clear how this guy prices the verified PayPal accounts. In the accounts I saw advertised (see screenshot above), the prices started at $2.50 for verified accounts with a balance from $0 to $10. Higher-balance verified accounts appear to be priced at between 8 to 12 percent of their total balance. For example, one account — apparently taken from a hapless victim named Abigail — has a current balance of $121.07, and is being sold for $15.
Another account, from Gwynn in Tallmadge (Ohio?) has a hefty balance of $1,102.37; its sale price was set at $45. Taking a look at the domain name in Gwynn’s email address, I decided she must work at or for Gambit Systems, a software development firm in Akron, Ohio. I sent an email to the administrator at that company, who passed on the information and confirmed that PayPal had since locked down Gwynn’s account.
The proprietors of iProfit.su also run blackservice.su, a “carding” forum where members can sell all kinds of stolen goods and illegal services, from stolen credit cards to services that will look up Social Security numbers and birthdays. Readers may have noticed that both of the Web sites mentioned in this story end with the “.su” top-level domain (TLD): This TLD identifies the Soviet Union; it’s a holdover from the country-code TLD that was created for the Soviet Union in 1990. It was long considered dead, but .su is now quite popular, particularly among sites catering to Russian-language cybercrime forums.
Have you seen:
Vendor of Stolen Bank Cards Hacked…I recently wrote about an online service that was selling access to stolen credit and debit card data. That post received a lot of attention, but criminal bazaars are a dime a dozen. The real news is that few of these fraud shops are secure enough to keep their stock of stolen data from being pilfered by thieves.