05
Oct 11

How Much is That Phished PayPal Account?

Compromised PayPal accounts are a valuable commodity in the criminal underground, and crooks frequently trade them in shadowy online forums. But it wasn’t until recently that I finally encountered a proper Web site dedicated to selling hacked PayPal accounts.

Compromised PayPal accounts for sale at iProfit.su

Many of the PayPal accounts for sale at iProfit.su have a zero balance, but according to the proprietor of this shop these are all “verified.” PayPal “verifies” an account when a customer agrees to attach a bank account to it; PayPal then sends a micropayment the bank account, and asks the user the value of that mini deposit. A bonus feature: all the hacked PayPal profiles currently for sale at iProfit.su are advertised as having a credit card attached to them, which is another way PayPal accounts can be verified.

The creator of iProfit.su also advertises private, bulk sales of unverified PayPal accounts; currently he is selling these at $50 per 100 accounts – a bargain at only 50 cents apiece.

Accounts are sold with or without email access (indicated by the “email” heading in the screenshot above): Accounts that come with email access include the username and password of the victim’s email account that they used to register at PayPal, the site’s proprietor told me via instant message. The creator of iProfit.su told me the accounts for sale were stolen via phishing attacks, but the fact that accounts are being sold along with email access suggests that at least some of the accounts are being hijacked by password-stealing computer Trojans on account holders’ PCs.

It’s not clear how this guy prices the verified PayPal accounts. In the accounts I saw advertised (see screenshot above), the prices started at $2.50 for verified accounts with a balance from $0 to $10. Higher-balance verified accounts appear to be priced at between 8 to 12 percent of their total balance. For example, one account — apparently taken from a hapless victim named Abigail — has a current balance of $121.07, and is being sold for $15.

Another account, from Gwynn in Tallmadge (Ohio?) has a hefty balance of $1,102.37; its sale price was set at $45. Taking a look at the domain name in Gwynn’s email address, I decided she must work at or for Gambit Systems, a software development firm in Akron, Ohio. IĀ  sent an email to the administrator at that company, who passed on the information and confirmed that PayPal had since locked down Gwynn’s account.

The proprietors of iProfit.su also run blackservice.su, a “carding” forum where members can sell all kinds of stolen goods and illegal services, from stolen credit cards to services that will look up Social Security numbers and birthdays. Readers may have noticed that both of the Web sites mentioned in this story end with the “.su” top-level domain (TLD): This TLD identifies the Soviet Union; it’s a holdover from the country-code TLD that was created for the Soviet Union in 1990. It was long considered dead, but .su is now quite popular, particularly among sites catering to Russian-language cybercrime forums.

[EPSB]

Have you seen:

Vendor of Stolen Bank Cards Hacked…I recently wrote about an online service that was selling access to stolen credit and debit card data. That post received a lot of attention, but criminal bazaars are a dime a dozen. The real news is that few of these fraud shops are secure enough to keep their stock of stolen data from being pilfered by thieves.

[/EPSB]

Tags: , , ,

65 comments

  1. Omg, thanks to you born new criminals!

    • I presume you meant to say that information such as this enables the rise of new criminals. Yes there is always that danger, but the advantage is that greater publicity of the bad guys enables their shut down faster. And Brian is to be commended for shouting the loudest and I suppose he does have his LEO channels to which is passes on his information.

    • I would point out that most of these sites, probably all the ones that are active and evil, don’t allow random visitors. You can’t just sign up for them like it’s Facebook. I believe most of them have a vetting process of some sort i.e. carder sites require you to supply 10 stolen cards to an admin to verify you are true blue bad guy or some such.

  2. Good post Brian,
    I loved that they are using cloudflare.com to give better user experince- what a customer service ! can i have your SLA please ? And what about refund policy ? šŸ™‚

  3. Plenty of phish request email address + password along with the financial info, so the presence of email+password being sold doesn’t necessarily indicate trojan involvment. I don’t know who thinks giving their email password could be a good idea, but I’ve seen it enough times to know it’s effective.

    • I’ve received phishing emails that look exactly like they are from PayPal, and even have my real name on them! (Probably a vendor that was hacked); but fortunately for most folks that use hotmail, at least, the message was mostly blocked indicating it wasn’t really a PayPal message. I sent it to the PayPal abuse email, and they confirmed it was a phishing email.

      These can be very convincing messages, because all they indicate is that you need to log on to your account to check a new customer agreement, or some other very convincing innocuous maintenance request. If I hadn’t seen the blocked portion of the message I could have been easily duped. Fortunately I never follow email links to my accounts – unless I’m testing a security app that shows some indication that the web site is fake. LastPass is one of those – you can’t logon to a fake URL, Comodo DNS is another, that prevents redirects to sites that may have stolen SSL certificates.

  4. Thank you for advertising my shop, my old advertiser was not near as good as you.. šŸ™‚Ā Ā  much obliged, sir. til next time. =)

    http://i27.lulzimg.com/a3adf1371c.png

    I will make another 1000$ donation soon.
    Peace & Fuckoff !

    Regards~

    • Brian doesn’t want your stolen money.

      I think you aren’t as happy as you seem.
      More advertising and more attention = more heat.

    • Author : iProfit (IP: 67.159.5.242 , .)
      E-mail : lulz@krebsonsecurity.com
      URL : http://iprofit.su
      Whois : http://whois.arin.net/rest/ip/67.159.5.242

      Haha. What a l33t haxor! He uses hidemyass.com to leave a comment! Yes, your secret is safe with them!

      http://www.eweekeurope.co.uk/news/hidemyass-anonymity-service-exposes-alleged-lulzsec-hackers-40663

      • yeah šŸ™‚

        Kids doesnt knw the real security.

        • I’m sorry, but there’s difference between security and crime.

          • Such a pointless reply considering the context of the original statement. The “security” was the confidentiality of the criminal’s identifying information via an anonymity scheme. The commenter said the criminal didn’t “know security” because he or she made a very basic & fatal mistake. Crime is about intent and how the technology is used. Security & successful crime work hand in hand (or don’t, like here).

      • what m i using …………hummmm
        is that HMA still or something else ….. šŸ˜€

        Use ur brain šŸ˜‰

      • Oh Brian, surely you are aware that many folks use multiple IP hops when conducting this type of business online. Also, you’re assuming that some random poster on your blog is the owner of the site. It seems like you’re absolutely giddy at the opportunity to flaunt your smarts. We know you’re a smart guy. You don’t have to jump up and down, pointing to yourself and announcing it to everyone.

        I know it’s fun for everyone to have this big circlejerk where they get to laugh about these oh-so-pathetic kids in their mom’s basements, but Brian, I believe you are intelligent enough to be aware that this stereotype is quite often very far from the truth.

        As for the others, and you know who you are, good job pretending that everybody you find unsavory is automatically some kind of degenerate social failure. Are you members of the Tea Party as well? I ask because your opportunistic arrogance has a startlingly similar odor.

        • Nice crowd you have here. I get downvoted into oblivion for a thoughtful comment questioning everyone’s apparent middle school mob mentality, yet not one person responds. Thanks for proving my point, dweebs.

          • Thoughtful comment? It is certainly possible that the person who left that comment about the fraudulent $50 donation to my site does not run iprofit.su, but whoever it was that left that donation certainly broke the law by hijacking someone’s account to send me their money without authorization. I can confirm this because the screen shot he posted matches the information in the (now reversed) fraudulent PayPal payment that was made to my account.

            There’s no “stereotype” there. If someone wants to come on my blog and brag about and present evidence of a crime — especially one directed at the author of this blog — I don’t think they should expect any other kind of treatment.

            • Brian Krebs is well endowed on the internet, and goddammit, the whole world needs to know it!

              • Geez you’re a piece of work aren’t you:

                “As for the others, and you know who you are, good job pretending that everybody you find unsavory is automatically some kind of degenerate social failure.”

                You might think you’re defending left wing ideals (I find your post quite confusing but that’s what I’m reading out of it) but myself and most other sane people consider thieves to be unsavory people and the subject of the article, whether they are correctly identified or not, are thieves. The fact that the site has been removed isn’t proof but suggests they were correctly identified and relatively stupid to boot if they used HMA. There is this thing called TOR you know as well as other means of hiding your identity LOL.

                They are indeed social failures as far as I’m concerned because they’re preying on innocent people who have obtained their means legally (in most cases) – by the sweat of their brow and the application of their minds. There has not been a civilised society in history where theft has been condoned – this is because humans are at a higher level than animals.

                Most people hold this view regardless of political persuasion I can assure you.

                You however, for whatever reason (probably some sort of guilt issue I imagine) seem to be bent on defending criminals. This isn’t even a so called “victimless crime” by any stretch of the imagination – it’s people directly taking property and causing hours or months of anguish to other people for nothing other than their own gain.

                Once can only hope that you yourself becomes such a victim so that you can be disabused of this viewpoint you hold.

    • Such a foul mouth , got caught you misfit . I don’t even think this “PUNK” kid knows what he is doing . New word for miscreant a bottom feeder . Can’t function in the real world . LOL šŸ™‚

  5. Its not an phishing attack, it can be done by bulk email+pass

    ex: example@example.com:password

    there are some automated tools to check

    Proof: [IMG]http://i27.lulzimg.com/b6c539fdef.jpg[/IMG]

    the email+pass can be found hacking websites

    Regards

    george davidowski

    • Yeah, and you raise another obvious explanation: Some people use the same password for their PayPal account that they do for their email account they used to register the PayPal account.

  6. OMG we can buy hacked Paypal accounts . dam where is the internet security

  7. Registration Temporary closed, Contact ICQ: 569-692

    hahahha, Kid got scared..

  8. @ Brian Krebs

    The guy giving you a donation was hilarious. Back on topic, though, I’m surprised to see the verified PayPal accounts being sold this cheap. The going rate was around $70 a pop when I checked last year. What gives? Is this guy just an incompetent businessman giving his assets away in a massive firesale? Or has the supply of stolen credentials (and suppliers) increased enough to justify such low prices?

    I’m curious what the going rates are on the carding sites. My last foray researching “reputable” sites gave these numbers (average): $25 for MC/Visa; $10 for CCV; $100 for full info; $300 for CC+PIN; 10-15% of balance for bank account. Since you probably visited blackservice, can you tell me if prices there have experienced a similarly large drop?

    • lol wut? you might want to go back and do research again. A cc at 10$ hasn’t been around since like 2001. Fullz are 5-10$, and no one sells dumps + pins. as far as paypal prices go, the price he sells them for are overpriced.

      • I don’t know what to make of your post. That dozens of sites in my research had those prices proves they “exist.” That Krebs gives us pictures and info on plenty of ATM skimmers that collect cards + PIN’s, along with sites advertising them, disproves your claim that “no one” sells them. (What are they doing? Collecting them for recreation?)

        I certainly didn’t explore every site & try to infiltrate black market forums looking for the very best deals. The reason is that I’m not a renowned investigator & I’d rather not be associated with that information in any logs, witness statements, etc. Nor did I need the temptation during hard financial times. Hence, I read articles from groups like Krebs, Wired, etc. & visited the sites they mentioned. They had those prices and offers, although some were higher. That I was asking for information on price changes from Krebs shows I don’t claim to know what’s currently going on in underground pricing.

        • Any website offering dumps + pins is a scammer. Why would anyone in their right mind sell dumps + pins. That’s like selling money for money. With a dump + pin combo all a person would need to do is get a msr, write it on the card and go to an atm and withdraw as much money as possible. Selling it for 150$ is just plain stupid.

          Here is an example of the prices. This is posted by a spammer to get customers, and even his prices are overpriced, and I can guarantee you he’s a scammer.

          http://s4.invisionfree.com/playr_forum/ar/t3819.htm

          you can google about dump + pin selling and there’s people complaining about being scammed, because it’s just plain stupid to sell money for money, and no one does it.

          • Wow have prices gone down. I appreciate the update. I do disagree with your assessment that selling card+pin is stupid & nobody does it. Getting to ATM’s, cashing them out & never getting caught can be hard in some areas. It’s high risk compared to online crime. Those SMS or bluetooth skimmers, on the other hand, must be installed once & keep producing card+pin dumps over time. Each one sold for $300 or so through Western Union is much less traceable, especially if you have someone else do the transfer. (Pay some Mexican guy $50 for each $300-500 he picks up.) Plenty of people would choose less rewards for less risk.

            I agree, though, that most of the sites you get on Google or the forums are scams.

  9. Looks like iprofit.su is hosted by leaseweb.de, a network known for badness. It is consistently near the top of Spamhaus’s worst networks, and is currently #8 out of about 39,000 according to hostexploit.com.

    http://sitevet.com/db/asn/AS28753

  10. i got much information about this guy šŸ™‚
    he is from bangladesh šŸ™‚ if you need his information catch me on gtalk/icq/msn .. can not release here šŸ™‚ thanks

  11. greez bro for hecking these paypals ! heck them all !! vouch!!!1

  12. That makes a whole lot of sense dude.

    http://www.being-anon.eu.tc

  13. oh darn. it seems the site has been suspended.

    500 Internal Server Error
    An internal server error has occured. Powered By LiteSpeed Web Server
    LiteSpeed Technologies is not responsible for administration and contents of this web site!

  14. here are simular ones

    madtrade.org
    carderprofit.cc

    and guess what domain registar and hosting allowing them even after knowing about it

  15. tell me your email id..

  16. who is rajitbansal?
    and yeah owner is of BD only šŸ™‚ i got all the proof šŸ™‚

  17. Ok everyone, look at my nick , that you recognised me, here is the real info (feds here you go)

    Cyber Hacker/Tony/blackservice owner/pp24.org and iprofit.su owner = Bangladesh, and the facebook posted above is correct.

    We don’t need any more kid faggots in the scene, so feds, arrest him
    Oh, and along with that rajitbansal guy.

    With Love
    KH

  18. wtf? stop using my name kid, KH now CH gonna piss u in MT

  19. Oh, and bulletproof domain register RU-CENTER was my idea

  20. The Admin of these websites is from Pakistan šŸ˜‰

  21. Using extreme profanity and impersonating the author of this blog are the surest ways to have your comments removed and further comments banned.

  22. @author i need ur instant messanger details, need to talk wiith you regarding something related, can not post in public..

  23. When I am thinking a bit about that – we have a problem here , and it is the Paypal itself. I use it everywhere possible instead of credit card, others i know also and what exactly does this money-processing service offer us to secure our money ? Not much i have to say.
    I’ve been trying to order their hardware “Security Key” for 2-factor authentication for a year but always get “The Security Key is currently not available. Please try again later.” error, which i presume because I am not from US, on my mail they didn’t really answer and i left the idea, BUT … even those few lucky ones to have it are mislead into security promise , as article here http://danielmiessler.com/blog/paypal-and-two-factor-authentication-a-weakest-link-case-in-point shows that you can just click on “I don’t have Security Key ” link and all this “protection” goes down to drains.

    I wish someone with enough power could wake them up in Paypal about taking user’s protection a bit more seriously .

    Actually, Brian – did you by any chance have any communication with Paypal about this you could share ?
    Thanks
    Yuri

  24. This is disgusting guys, at least try to show people that us carders are mature adults..instead sitting here arguing like children. Black service (his forum) and Iprofit (his shop) are both horrible examples of what the REAL carding scene is. Please guys grow up and act like mature men, instead of children running wild on the internet.

    • Mature adults don’t rip off innocent people as if they’re owed something. That’s basically the attitude of a grown up who hasn’t matured enough to realise that the rest of the world isn’t there to play the role of their parents. Mature adults also don’t choose to ignore the consequences of their actions on other people.

      Also you’re not exactly the the sharpest tool in the box are you: the article isn’t regarding carders.

      Although I realise no one likes to hear this – no one likes to realise they’re less intelligent than their fellow man basically – statistically you’re likely to have a lower IQ than average. Multiple wide ranging studies have shown criminal offenders have this trait.

  25. Also brian, I would watch your site, your going to piss off the wrong people one day and bye-bye goes your site, and dont think anti-ddos will have any effect on the outcome šŸ™‚

    • Same threat has been made by other people multiple times, sometime they even carried through on their threats.

      Oh and look the site is still here. I seriously doubt you can carry through with this threat in any case, your posts smack of someone a bit carried away with talking the talk to make themselves feel like a big man.

  26. Hi brian,

    The online carding scene act as community… If there is 50 people of a community with zeus and over 50k bot and you hit wrong person…I don’t think your site will be alive long time šŸ™‚

    Cya

    • Zeus doesn’t even have DDoS smartypants.

      And what do you think does DDoS achieve ? Let the servers explode ?

      Why don’t you go back to hackforums.net and play with your big-boy tools to kick people off of Xbox-Live ?

      I think it’s unfair that there wasn’t enough brains for every person on the planet šŸ™ .

  27. Credit to Google “ICQ” “569692”

    http://omerta.cc/showthread.php?t=1064
    More adverts from ICQ 569692

    https://twitter.com/#!/bsdotbiz
    The same ICQ on Twitter

    http://carding.su/member.php?u=113200
    And again, aka pp24.org > iprofit.su

    http://www.sythe.org/member.php?u=290551
    * blacks3rvice@gmail.com

    etc

  28. Why doesn’t ICANN or IANA just delete the .su domain? Wouldn’t that kill all of the .su accounts?

  29. nice article. i found the comments so entertaining- trolls got trolled.

  30. HE CHANGED THE URL TO ” http://shop.lulzsec.su

    PLEASE UPDATE YOUR POST.