Compromised PayPal accounts are a valuable commodity in the criminal underground, and crooks frequently trade them in shadowy online forums. But it wasn’t until recently that I finally encountered a proper Web site dedicated to selling hacked PayPal accounts.
Many of the PayPal accounts for sale at iProfit.su have a zero balance, but according to the proprietor of this shop these are all “verified.” PayPal “verifies” an account when a customer agrees to attach a bank account to it; PayPal then sends a micropayment the bank account, and asks the user the value of that mini deposit. A bonus feature: all the hacked PayPal profiles currently for sale at iProfit.su are advertised as having a credit card attached to them, which is another way PayPal accounts can be verified.
The creator of iProfit.su also advertises private, bulk sales of unverified PayPal accounts; currently he is selling these at $50 per 100 accounts – a bargain at only 50 cents apiece.
Accounts are sold with or without email access (indicated by the “email” heading in the screenshot above): Accounts that come with email access include the username and password of the victim’s email account that they used to register at PayPal, the site’s proprietor told me via instant message. The creator of iProfit.su told me the accounts for sale were stolen via phishing attacks, but the fact that accounts are being sold along with email access suggests that at least some of the accounts are being hijacked by password-stealing computer Trojans on account holders’ PCs.