And as with all tradable commodities – rather like cigarettes and stockings after the Second World War – an exchange now exists to trade those stolen PayPal identities.
According to security researcher Brian Krebs, after tracking stolen PayPal accounts to an exchange – iProfit.su – he has made the interesting conclusion that, whilst many accounts for sale on the site have a zero balance, they are still worth hard cash to cybercriminals.
This is, he says, because the accounts sold on iProfit.su have verified bank accounts attached to them – meaning, Infosecurity notes, that direct debit, check-free or similar near-instant account withdrawals can be triggered and loaded into the PayPal account. And as an added bonus, many of the stolen PayPal accounts also have a debit or credit card attached to them.
In his latest security posting, the Krebs on Security researcher asserts that the creator of iProfit.su also advertises private, bulk sales of unverified PayPal accounts at the bargain rate of $50.00 per 100 accounts.
“Accounts are sold with or without email access”, he says, adding that email-enabled accounts also come with the user name and password of the victim's email account that is linked to their PayPal registered account, all of which appear to have been stolen using phishing attacks.
Krebs goes on to say that it's not clear how the site operator prices the verified PayPal accounts, as prices seem to vary – from $2.50 for verified accounts with a balance of up to $10.00, and between 8 and 12% of the balance available for higher in-credit accounts.
“For example, one account - apparently taken from a hapless victim named Abigail - has a current balance of $121.07, and is being sold for $15.00”, he notes.
“Another account, from Glynn in Tallmadge (Ohio?) has a hefty balance of $1,102.37; its sale price was set at $45.00 Taking a look at the domain name in Gwynn’s email address, I decided she must work at or for Gambit Systems, a software development firm in Akron, Ohio. I sent an email to the administrator at that company, who passed on the information and confirmed that PayPal had since locked down Gwynn’s account”, he says.
Unsurprisingly, Krebs also reports that the operator of iProfit.su operates a carder forum where all sorts of stolen goods and services – including payment card credentials – can be traded.