John Pluhowski_Paypal_BML_sock_puppets_200

When the Haggler asked the eBay spokesman John Pluhowski for the name of the PayPal spokesman and the Bill Me Later spokesman, he offered one name: John Pluhowski.



Malicious software includes 48 trojan(s), 36 exploit(s).


Several days ago I noticed that Paypal was showing infected at Google’s Safe Browsing tool page.

Looking again I see that the problems seem to be getting worse. The amount of malware detected is up since the last time they visited.

What happened when Google visited this site?

Of the 3662 pages we tested on the site over the past 90 days, 48 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-04-22, and the last time suspicious content was found on this site was on 2013-04-05.

Malicious software includes 48 trojan(s), 36 exploit(s).


Attention Holiday shoppers!

The long uncorrected xss flaws are still alive and well on ebaY. That means safety issues, ID theft etc. Just a brief explanation: If hackers can cause that pop-up to appear, they can pretty much do whatever they want. Just by you landing on one wrong page.

You’ll never see any indication until your bank account is drained or you receive a bill for a bazillion fake items listed on your ebaY account, etc.

Avoid ebaY like the plague!

Read all about it here. Catch the mirror proof of concept page here.

Click the image to enlarge, opens in a new tab or window.

I’ll spare too many words here, except to say that those following along know it’s not the first time, or the last. Far from it. This has been somewhat of a slow speed chase. Here are the bloody gloves.

If they get you, you’ll fall victim to the hackers, and ebaY’s atrocious, lackluster customer service and policies.


Once again I’ve stumbled upon a site where fake Paypal accounts are being sold. This time on the not so secret or hidden “hidden services” of the Tor Network.

Tor is a privacy and/or anonymity oriented software/browsing project, which has many legitimate uses. But like all things it can be used for other purposes too.

Fake Paypal accounts have been found and exposed so many times now it boggles the mind. Not only have I found them as far back as 2008, but so has Doc of, auctionbytes, and krebsonsecurity to name a few. You can see even more here.

This is truly a perennial problem, and an entire sleazy industry. A problem which Paypal seems to deal with best by penalizing and abusing innocent, legitimate users.

The website is located at:


which I believe you can only access via Tor.

The PayPal Store Home Page

When you click on “about” you are presented with this text:

Hello and welcome to the PayPal Store. Here you may purchase clean/hacked USA PayPal accounts, to use for online/offline black hat activities, etc.

Each purchase comes with a US PayPal account along with the associated e-mail account, fake identity of the PayPal’s “owner”, and optionally a VPN (for extra money). See Prices page for products.

Owning a fake PayPal is a must for black hats, e-whorers, scammers, money laundering, etc. These accounts are newly-created and have never been used, (no balance, etc., not including hacked accounts) and, if used correctly, should never become limited.

The Paypal Store About

The site also has an FAQ page:

The Paypal Store FAQ

The the pricing page, where the payment options are shown as Bitcoin and Liberty Reserve:

The Paypal Store Prices

There’s also contact page with a huge smile image and an email address. I’m not going to show that here.

One thing I’d like to point out here is that I’m not advertising for this website or service. I advise people to NOT get involved with such things. There’s no way of knowing who is on the other end or what you are actually supporting.

If you follow the news, then you know recently there was some sort of international drug bust of cyber-dope dealers. So it’s not out of the realm of possibility this site could be a sting operation of some sort

I’m not looking to start any conflict with users or owners of the site/service either. The purpose here is to alert legitimate PayPal users as to the risks involved as well as the utter dishonesty and hypocrisy when it comes to PayPal, their policies, practices etc.

Do I need to go on and describe PayPal pompous stance on security, or their lackadaisical policy enforcement/application? I could just mention a few things like Wikileaks, the Regretsy kids, constant violations of State Money Transmitter License terms, the current Zimmerman fundraising fiasco, recent articles from The Haggler

Add to that the recent spurt of Paypal employee personal issues: They’ve had 2, count them two people commit suicide, and one get arrested for raping a 13 year old girl. All these things combined certainly don’t instill a sense of well-being to users, and seem to hint at deep dark troubles imo.

You get the idea. I could go on and on about the world’s “most loved”.

I’d like to point out again that the biggest risks involved are in the Paypal User Agreement, (a special arrangement of weasel words longer than Shakespeare’s Hamlet) in that they do NOT guarantee the identity of your trading partner, nor that any transaction will actually be fulfilled, they can (and will) lock your account, seize your funds without having to disclose any reason why. Top that all off with the key phrase “THE PAYPAL SERVICES ARE PROVIDED “AS IS” AND WITHOUT ANY REPRESENTATION OF WARRANTY”

I still advise to steer clear of PayPal (and ebaY too for that matter)

If you have an account, close it down before you fall victim of this unsafe, untrustworthy, scandalous  outfit.

Not to surprising info posted over at

Active, hacked or phished Paypal accounts found for sale on yet more venues. For those not paying attention, there are entire sleazy industries surrounding all things ebaY & Paypal. This particular type has been exposed time and again.

Please don’t overlook the very real possibility they could all be insider fraud, as Paypal’s own documents show.

I say this because ebaY and PayPal  have been very quick and thorough to silence criticism and exposure of embarrassing facts, yet these highly fraudulent sites remain. EbaY allows as many accounts as a person wishes, and Paypal does little to nothing to verify people at the gate. Rather, they wait until funds are in one’s accounts, then seized, after the fact, under any number of false or invalid reasons, until you are “proven worthy“.

It’s pretty obvious that the members are being used to subsidize fraud and failure, and to cover PayPal’s losses, which are bourne of their very own lackwit policies and practices IMO.

The very best thing you can do is avoid PayPal and ebaY. Close both your ebay and Paypal accounts and do whatever you need to to be sure they cannot access both your bank accounts and credit cards.

Not surprisingly, the cross scripting, xss,  and/or flash manipulation scam is alive and well on ebay, this time documented by a casual observer.  This has also been documented time and again by myself and others on Youtube BTW.

For those not aware, these ID stealing flaws, through careful research, have been shown to exist uncorrected on ebaY for as long as 11+ years now.

What’s even more alarming: you don’t need to actually sign in to any phake login page to have your credentials stolen, thanks to the cookie stealing variant of this hack.

Top that off with the fact that ebay’s own policy is to blame the user/victim.

Numerous comments at my youtube videos also indicate that victims are treated poorly and unprofessionally by ebaY’s customer service reps.

Important facts to consider when choosing online shopping or even surfing destinations.


Ebay scam redirect camper van

Uploaded by on Jun 8, 2011

hi, im not even a ebay member, but was looking at camper vans, if its to good to be true it probably is, dont be foolish and loose your details or money, thanks for watching. can you trust this site, i think not. thanks for watching. please remember if you do buy something like this you part with your money you will have no comeback, yes thats right, do your checks aa rac whatever, dont part with your money on the descriptions(important) alone on this site you could end up with a pile of poop. hpi only shows recorded accidents, not accidents repaired by other means, so get it checked. dont believe these lying scum.


Update: for whatever reason that video has been removed. Anyone wishing to see it can leave comment below and we shall make it available from the Mighty Cappnonymous Archives

Yet more cross scripting flaws discovered on PayPal site(s)…

From Softpedia, via

Two security researchers have independently identified cross-site scripting vulnerabilities in PayPal’s mobile and sandbox websites over the weekend, which could have been exploited in phishing attacks.

The XSS weakness on the website was discovered by a member of the Romanian Security Team (RST) outfit, who goes by the online nickname of Nemessis.

article continues…

One vulnerability is confirmed fixed.

Please take note who is researching and reporting, Romanian bashers…

This reminds me of another incident which happened a while back. Also, If you haven’t been paying attention, it’s been reported that several smartphones are vulnerable to MITM attacks