Sobering new details on a criminal enterprise affecting unfortunate PayPal customers counter the company’s security insurances, says an investigative report. Hackers are brazenly selling stolen PayPal accounts to cyber thieves.
Brian Krebs of Krebs on Security discovered a site called iProfit.su where verified PayPal accounts with valid credit card numbers can be purchased both individually and in bulk. It’s a Sam’s Club for cyber crooks.
Accounts are sold with or without email access: Accounts that come with email access include the username and password of the victim’s email account that they used to register at PayPal, the site’s proprietor told me via instant message. The creator of iProfit.su told me the accounts for sale were stolen via phishing attacks, but the fact that accounts are being sold along with email access suggests that at least some of the accounts are being hijacked by password-stealing computer Trojans on account holders’ PCs.
Digging through the site’s promotions, Krebs found that the asking prices vary.
“In the accounts I saw advertised, the prices started at $2.50 for verified accounts with a balance from $0 to $10,” he said. “Higher-balance verified accounts appear to be priced at between 8 to 12 percent of their total balance.”
The site has ties to Cold War-era Russia, reasoned Krebs – pointing to it’s suffixed .su top-level domain as a plain giveaway. “It’s a holdover from the country-code TLD that was created for the Soviet Union in 1990,” he explained, adding that the code has become a go-to choice for cyber criminals in recent years.
Have you ever been the victim of online fraud? Share your experience in the comment section.