Compromised PayPal accounts are typically perceived as a valuable commodity in the digital criminal underground.
Indeed, hacked accounts are frequently traded in online forums and even sold on websites. One such site – iProfit.su – was recently identified by security researcher Brian Krebs.
According to Krebs, many of the PayPal accounts on the auction block at iProfit.su have a zero balance, but are supposedly “verified.”
“PayPal ‘verifies’ an account when a customer agrees to attach a bank account to it; then sends a micropayment the bank account, and asks the user the value of that mini deposit,” he explained.
“A bonus feature: all the hacked PayPal profiles currently for sale at iProfit.su are advertised as having a credit card attached to them, which is another way PayPal accounts can be verified.”
As expected, iProfit.su also advertises private, bulk sales of unverified PayPal accounts, which are currently priced at $50 per 100 accounts – a relative “bargain” at only 50 cents apiece. In addition, accounts are sold with or without email access.
As Krebs notes, while some of the accounts for sale are apparently stolen via phishing attacks, others are likely hijacked by password-stealing computer Trojans.
So how much are verified PayPal accounts going for? Well, on iProfit.su, verified accounts start at $2.50 with a balance from $0 to $10, while higher-balance verified accounts appear to be priced at between 8-12 percent of their total balance.
Of course, the administrators of iProfit.su don’t just sell hacked PayPal accounts. No, they also run blackservice.su, which Krebs describes as a “carding forum” where members can sell all kinds of stolen goods and illegal services – ranging from credit cards to services that look up Social Security numbers and birthdays.