Once again I’ve stumbled upon a site where fake Paypal accounts are being sold. This time on the not so secret or hidden “hidden services” of the Tor Network.

Tor is a privacy and/or anonymity oriented software/browsing project, which has many legitimate uses. But like all things it can be used for other purposes too.

Fake Paypal accounts have been found and exposed so many times now it boggles the mind. Not only have I found them as far back as 2008, but so has Doc of ebaymotorssucks.com, auctionbytes, and krebsonsecurity to name a few. You can see even more here.

This is truly a perennial problem, and an entire sleazy industry. A problem which Paypal seems to deal with best by penalizing and abusing innocent, legitimate users.

The website is located at:

hxxp://5xhp3ntcxfpfd5ig.onion/PayPal_Store_-_Home.html

which I believe you can only access via Tor.

The PayPal Store Home Page

When you click on “about” you are presented with this text:

Hello and welcome to the PayPal Store. Here you may purchase clean/hacked USA PayPal accounts, to use for online/offline black hat activities, etc.

Each purchase comes with a US PayPal account along with the associated e-mail account, fake identity of the PayPal’s “owner”, and optionally a VPN (for extra money). See Prices page for products.

Owning a fake PayPal is a must for black hats, e-whorers, scammers, money laundering, etc. These accounts are newly-created and have never been used, (no balance, etc., not including hacked accounts) and, if used correctly, should never become limited.

The Paypal Store About

The site also has an FAQ page:

The Paypal Store FAQ

The the pricing page, where the payment options are shown as Bitcoin and Liberty Reserve:

The Paypal Store Prices

There’s also contact page with a huge smile image and an email address. I’m not going to show that here.

One thing I’d like to point out here is that I’m not advertising for this website or service. I advise people to NOT get involved with such things. There’s no way of knowing who is on the other end or what you are actually supporting.

If you follow the news, then you know recently there was some sort of international drug bust of cyber-dope dealers. So it’s not out of the realm of possibility this site could be a sting operation of some sort

I’m not looking to start any conflict with users or owners of the site/service either. The purpose here is to alert legitimate PayPal users as to the risks involved as well as the utter dishonesty and hypocrisy when it comes to PayPal, their policies, practices etc.

Do I need to go on and describe PayPal pompous stance on security, or their lackadaisical policy enforcement/application? I could just mention a few things like Wikileaks, the Regretsy kids, constant violations of State Money Transmitter License terms, the current Zimmerman fundraising fiasco, recent articles from The Haggler

Add to that the recent spurt of Paypal employee personal issues: They’ve had 2, count them two people commit suicide, and one get arrested for raping a 13 year old girl. All these things combined certainly don’t instill a sense of well-being to users, and seem to hint at deep dark troubles imo.

You get the idea. I could go on and on about the world’s “most loved”.

I’d like to point out again that the biggest risks involved are in the Paypal User Agreement, (a special arrangement of weasel words longer than Shakespeare’s Hamlet) in that they do NOT guarantee the identity of your trading partner, nor that any transaction will actually be fulfilled, they can (and will) lock your account, seize your funds without having to disclose any reason why. Top that all off with the key phrase “THE PAYPAL SERVICES ARE PROVIDED “AS IS” AND WITHOUT ANY REPRESENTATION OF WARRANTY”

I still advise to steer clear of PayPal (and ebaY too for that matter)

If you have an account, close it down before you fall victim of this unsafe, untrustworthy, scandalous  outfit.

We don't need no stinking badges! LOL!

This is scary stuff while simultaneously a bit amusing.

“That little lock on your browser window indicating you are communicating securely with your bank or e-mail account may not always mean what you think its means.

Normally when a user visits a secure website, such as Bank of America, Gmail, PayPal or eBay, the browser examines the website’s certificate to verify its authenticity.

At a recent wiretapping convention however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds designed to intercept those communications, without breaking the encryption, by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate  from any one of more than 100 trusted Certificate Authorities.

The attack is a classic man-in-the-middle attack, where Alice thinks she is talking directly to Bob, but instead Mallory found a way to get in the middle and pass the messages back and forth without Alice or Bob knowing she was there.

The existence of a marketed product indicates the vulnerability is likely being exploited by more than just information-hungry governments, according to leading encryption expert Matt Blaze, a computer science professor at University of Pennsylvania.”

“If company is selling this to law enforcement and the intelligence community, it is not that large a leap to conclude that other, more malicious people have worked out the details of how to exploit this,” Blaze said.

The company in question is known as Packet Forensics, which advertised its new Man-In-The-Middle capabilities in a brochure handed out at the Intelligent Support Systems (ISS) conference, a Washington DC wiretapping convention that typically bans the press. Soghoian attended the convention, notoriously capturing a Sprint manager bragging about the huge volumes of surveillance requests it processes for the government.

According to the flyer: “Users have the ability to import a copy of any legitimate key they obtain (potentially by court order) or they can generate ‘look-alike’ keys designed to give the subject a false sense of confidence in its authenticity.” The product is recommended to government investigators, saying “IP communication dictates the need to examine encrypted traffic at will” and “Your investigative staff will collect its best evidence while users are lulled into a false sense of security afforded by web, e-mail or VOIP encryption.”

Here is a comedy highlight:
“VeriSign, the largest Certificate Authority, declined to comment.”

Looks like SSL is shot to hell.

Read the entire article. Follow the links there. lol

Law Enforcement Appliance Subverts SSL

Smart_Hacker_Pro_cd_Beginners_guide_end_time_23-Sep-07_104518_BST_640c

This could have been a follow-up to the last thing I posted here, but it is an entirely different incident, report, and item, thus deserving it’s own post.

Reported now today in vnunet.com

Hacker training sold on eBay
Development is further evidence of e-crime becoming mainstream
Tom Young, Computing 20 Sep 2007

“Hacker toolkits that used to be available only on hidden forums are now for sale on eBay, according to security vendor Tier-3.”

The article goes on to state:

‘High level hacking tools, including surreptitious trojan loaders and Web site hacking utilities, are being put into the hands of almost any internet user,’ he said.

We also see a response from ebay:

“We are satisfied that the presence of such an item on the US site is not commonplace, as although we have 100m listings live on the site globally at any one time, we are very effective at removing prohibiting items, often before the listing ends and any sale is completed,” said eBay in a statement.”

Please note that as of the time of this posting, the item linked in the original article and shown below is live. Apparently ebay does not mind these types of things being offered for sale on IT’s site.

I can only imagine what may happen when we have dozens if not hundreds of jimmy.cry90 s and or jimmy.cry@gmail s running around.

Smart_Hacker_Pro_cd_Beginners_guide_end_time_23-Sep-07_104518_BST_360

Full page view, resized creencapture. Click to enlarge in a new tab or window.