We all know that you can practically buy anything on the Internet, from bulk email accounts over credit card information and even PayPal accounts.
Brian Krebs in a post on the Krebs on Security blog sheds some light on the latter. He identified websites were PayPal account data, and sometimes linked email account information, were sold in bulk.
According to his information, PayPal accounts are sold for as little as $50 per 100 unverified accounts. 50 cents per account may not seem like much, but you need to consider that unverified means that the original owner has not linked the account to a bank account or credit card. This limits what can be done with the account (while it is possible to use it to move money, it cannot be used to make purchases if the PayPal balance is not sufficient).
Verified accounts on the other hand start at prices of $2.50 for PayPal accounts with a balance of up to $10, and more if the balance is larger. You see a larger account with a balance of more than 1000 Dollars go for $45 at the site selling those hacked accounts.
It is rather interesting that the site not only lists the account balance, first name address and type of account but also much of the user's email address. Registration at the site is closed and only possible by contacting a site operator over ICQ.
Considering that email addresses are listed, it would make sense for PayPal to try and get an account to block all hacked accounts before third parties can use them for illegal activities.
Brian believes that the majority of accounts for sale have been collected via phishing attacks, but that trojans on user computers have also been used considering that some of the PayPal accounts are sold with linked email account log ins.
It feels kinda strange that a site like this can operate for a relatively long time without being taken down by the authorities. I won't link directly to the site, but you find the link and a sister site mentioned in Brian's article.
I personally would have expected the accounts to be sold at higher prices. This can either mean that demand is not high, or that the site operators have access to a lot of hacked PayPal accounts.
What's your take on this?
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.