Phished PayPal accounts selling on the criminal underground for $0.50 apiece

Security researcher Brian Krebs got a look at the auction prices at iProfit.su, a criminal marketplace where you can buy hacked and phished PayPal accounts; he discovered that the going account for 100 zero-balance verified PayPal accounts is a mere $50 -- that's 50 cents per account.

Accounts are sold with or without email access (indicated by the “email” heading in the screenshot above): Accounts that come with email access include the username and password of the victim’s email account that they used to register at PayPal, the site’s proprietor told me via instant message. The creator of iProfit.su told me the accounts for sale were stolen via phishing attacks, but the fact that accounts are being sold along with email access suggests that at least some of the accounts are being hijacked by password-stealing computer Trojans on account holders’ PCs.

How Much is That Phished PayPal Account? [krebsonsecurity.com]

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE: Business • crime • economics • paypal • ripoff • web theory

More at Boing Boing

Ants and Stars: Bruce Sterling and Jasmina Tesanovic visit the Sardinia Radio Telescope in Italy

The Snowden Principle

xenphilos

Do they accept Paypal?
GeekMan

It’s worth pointing out that “.su” is the top-level domain of the Soviet Union, which was dissolved 20 years ago this December. ICANN called for for this domain to be phased out 10 years ago, but new registrations are still being processed.
- http://twitter.com/donaever DonE
  
  Do they have any general patterns of use for the domain? I mean, is there any information about whether it’s mostly black market businesses?
  
  I would hope that it is mostly used by old, grizzled and badass graphic designers who refuse to change their style to match the new reality.
Dewi Morgan

“the fact that accounts are being sold along with email access suggests
that at least some of the accounts are being hijacked by
password-stealing computer Trojans on account holders’ PCs.”

No. It suggests that they use the same password for their email as their paypal. Get one, and you’ve got both.

Easiest way to do this is to create a blog or forum that requires a login, and email confirmation. Many people will use the same password and email for your site as for their email/paypal.

So the simple thing to do is USE DIFFERENT PASSWORDS EVERYWHERE!

If, perhaps due to some kind of retardation, you can’t think of a way to make a memorable password based on the domain name you’re connecting to, then at the very least use different passwords on anything to do with money – including the email access that you use to *verify* those secure accounts.

And the other thing is to never click a link in a paypal or banking email. Type in “www.paypal.com” and go from there instead. If it was anything important, you’ll see it as a popup on your account screen.
- http://www.facebook.com/profile.php?id=100000887754835 Billy Hale
  
  You’re absolutely right. My wife made this silly blunder with an Etsy signup and a new PayPal account. Someone within Etsy (there is zero doubt about that) used or sold her PayPal login to buy US$300 in “gold” for some online Chinese game…which they likely promptly resold.
gourneau

What is a surprisingly nice UI.