Webroot analyst Dancho Danchev has spotted the shop, finding that accounts with balances are going for $15 to $20 each. Accounts with no assets go for $2, presumably bought by those who hope the account will be topped up soon.
As with most things, all PayPal accounts are not created equal. In this case, the data is segmented into a handy shoppable format by email address of the affected victim, verified/not verified account, type of account, card confirmation, bank confirmation, balance, first name of the victim, the country of origin, and the actual selling price. It’s a comparison shopper’s dream.
“It’s pretty obvious that the cybercriminal behind the E-shop is using perceived value for his pricing scheme,” Danchev said. “What we’ve got here is a decent example of how these inexperienced cybercriminals are looking for ways monetize the fraudulently obtained data as soon as possible, instead of ‘cashing out’ the accounts by themselves, which could lead to possible risks to their operational security.”
But that’s not all: the enterprising hacker is also throwing in a customer service perk. “What’s particularly interesting regarding this e-shop is the fact that the cybercriminal behind it tried to come up with a value-added service, in this case a built-in Socks5 proxy checker, to be used when interacting with the hacked PayPal accounts for greater anonymity,” Danchev explained.
These are not publicly obtainable Socks5 servers, he noted. Instead, they compromise malware-infected hosts converted into anonymization proxies, allowing the cybercriminals who are about to cash out the hacked PayPal accounts to risk-forward the possibility of getting traced back to the IP of an innocent malware-infected victim.
The e-shop is exclusively targeting US citizens, and currently has an inventory of 1,543 hacked PayPal accounts, followed by another 14 for the UK. But it’s likely the gambit will pop up elsewhere. “On a daily basis, largely thanks to the efficiency-centered malicious campaigns circulating in the wild, cybercriminals get access to tens of thousands of accounting credentials across multiple Web properties, and most disturbingly, online payment processing services like PayPal,” Danchev said.