We all know that you can practically buy anything on the Internet, from bulk email accounts over credit card information and even PayPal accounts. Brian Krebs in a post on the Krebs on Security blog sheds some light on the latter. He identified websites were PayPal account data, and sometimes linked email account information, were sold in bulk.
According to his information, PayPal accounts are sold for as little as $50 per 100 unverified accounts. 50 cents per account may not seem like much, but you need to consider that unverified means that the original owner has not linked the account to a bank account or credit card. This limits what can be done with the account (while it is possible to use it to move money, it cannot be used to make purchases if the PayPal balance is not sufficient).
Verified accounts on the other hand start at prices of $2.50 for PayPal accounts with a balance of up to $10, and more if the balance is larger. You see a larger account with a balance of more than 1000 Dollars go for $45 at the site selling those hacked accounts.
It is rather interesting that the site not only lists the account balance, first name address and type of account but also much of the user’s email address. Registration at the site is closed and only possible by contacting a site operator over ICQ.
Considering that email addresses are listed, it would make sense of PayPal to try and get an account to block all hacked accounts before third parties can use them for illegal activities.
Brian believes that the majority of accounts for sale have been collected via phishing attacks, but that trojans on user computers have also been used considering that some of the PayPal accounts are sold with linked email account log ins.
It feels kinda strange that a site like this can operate for a relatively long time without being taken down by the authorities. I won’t link directly to the site, but you find the link and a sister site mentioned in Brian’s article.
I personally would have expected the accounts to be sold at higher prices. This can either mean that demand is not high, or that the site operators have access to a lot of hacked PayPal accounts.
What’s your take on this?
Related Articles:
How To Verify Your PayPal Account Without A Credit CardUnauthorized Payment Done With My PayPal Account
PayPal Your Account Has Been Temporarily Limited Phishing Emails
PayPal, Your Account Has Been Temporarily Limited!
PayPal: Please update your account information
Enjoyed the article?: Then sign-up for our free newsletter or RSS feed to kick off your day with the latest technology news and tips, or share the article with your friends and contacts on Facebook, Twitter or Google+ using the icons below.
That’s why I stay away from things like PayPal.I don’t even bank or pay bills online.
Well… I think is almost impossible not to have a Paypal account, if you want to buy things online. I suppose It´s the least dangerous option (much better than giving your credit card info to every site you work with). I just try to have a well protected system (firewall, sandboxie, anti keylogger, etc). Praying also helps! :)
Holy Cassava…
Though one knows that this kind of stuff exist, its still scary to see proven examples.
I’m off, to change all my passwords…no, i shall disconnect first, then wipe my installation before i restore from backup. But wait, maybe there is a trojan within the backup…
Halp !! :p
Thanks for the heads up. I wasn’t aware how insecure Paypal is. Glad I dumped it over the blocking of Wikileaks donations. I’m not a donor, but I don’t like the idea of foreign politics determining how I might want to legally spend my money. Now if only I could find a replacement for Mastercard.
Why would someone sell an account with $1000+ in it for $45 rather than spend the balance themselves? These phishers seem very fishy.
Good question. I’d say they either are only in the hacking businesses and do not need that extra burden or they do not want the payments linked to them. I mean, if you make payments you have to get something for it which could be linked to them or a third party.