Share

Related Links

  • PayPal
  • Reed Exhibitions Ltd is not responsible for the content of external websites.

Related Stories

  • FBI charges 16 in connection with cyber attacks
    The FBI announced the arrest of 16 people, at least 14 of whom were allegedly part of the ‘Anonymous’ hacker group. The charges relate to the recent cyber attacks on PayPal and AT&T.
  • Visa takes on PayPal with secure P2P micropayments service
    Building on trials held in Australia last summer, Visa has announced plans to launch a secure person-to-person micropayments service in the US in the second half of this year, with the promise of rollouts later on in the UK and Europe.
  • Hackivists down MasterCard website in WikiLeaks protest
    The arrest of Julian Assange, the founder of the WikiLeaks whistleblowing portal, is causing mayhem in the electronic payments world as, hard on the heels of a distributed denial of service (DDoS) attack on the PayPal blog site earlier this week, a second group of hacktivists have staged a massive attack on the main MasterCard website.
  • Hackivists down Mastercard primary portal in WikiLeaks protest
    The arrest of Julian Assange, the founder of the WikiLeaks whistleblowing web portal, is causing mayhem in the electronic payments world as, hard on the heels of a distributed denial of service (DDoS) attack on the PayPal blog site earlier this week, a second group of hacktivists have staged a massive attack on the main Mastercard web portal.
  • Internet Fraud Alert service to help rescue stolen account credentials
    Microsoft, eBay, PayPal, Citizens Bank and several US regulators, consumer organizations and security groups have set up an online fraud alert service.

Top 5 Stories

News

How much is your stolen PayPal data worth?

05 October 2011

It seems that compromised PayPal account data – usually sourced via phishing attacks – now has a typical cybercriminal value, much as stolen credit and debit card credentials have had for some time.

And as with all tradable commodities – rather like cigarettes and stockings after the Second World War – an exchange now exists to trade those stolen PayPal identities.

According to security researcher Brian Krebs, after tracking stolen PayPal accounts to an exchange – iProfit.su – he has made the interesting conclusion that, whilst many accounts for sale on the site have a zero balance, they are still worth hard cash to cybercriminals.

This is, he says, because the accounts sold on iProfit.su have verified bank accounts attached to them – meaning, Infosecurity notes, that direct debit, check-free or similar near-instant account withdrawals can be triggered and loaded into the PayPal account. And as an added bonus, many of the stolen PayPal accounts also have a debit or credit card attached to them.

In his latest security posting, the Krebs on Security researcher asserts that the creator of iProfit.su also advertises private, bulk sales of unverified PayPal accounts at the bargain rate of $50.00 per 100 accounts.

“Accounts are sold with or without email access”, he says, adding that email-enabled accounts also come with the user name and password of the victim's email account that is linked to their PayPal registered account, all of which appear to have been stolen using phishing attacks.

Krebs goes on to say that it's not clear how the site operator prices the verified PayPal accounts, as prices seem to vary – from $2.50 for verified accounts with a balance of up to $10.00, and between 8 and 12% of the balance available for higher in-credit accounts.

“For example, one account - apparently taken from a hapless victim named Abigail - has a current balance of $121.07, and is being sold for $15.00”, he notes.

“Another account, from Glynn in Tallmadge (Ohio?) has a hefty balance of $1,102.37; its sale price was set at $45.00 Taking a look at the domain name in Gwynn’s email address, I decided she must work at or for Gambit Systems, a software development firm in Akron, Ohio. I sent an email to the administrator at that company, who passed on the information and confirmed that PayPal had since locked down Gwynn’s account”, he says.

Unsurprisingly, Krebs also reports that the operator of iProfit.su operates a carder forum where all sorts of stolen goods and services – including payment card credentials – can be traded.

This article is featured in:
Data Loss  •  Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×