Malicious software includes 48 trojan(s), 36 exploit(s).


Several days ago I noticed that Paypal was showing infected at Google’s Safe Browsing tool page.

Looking again I see that the problems seem to be getting worse. The amount of malware detected is up since the last time they visited.

What happened when Google visited this site?

Of the 3662 pages we tested on the site over the past 90 days, 48 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-04-22, and the last time suspicious content was found on this site was on 2013-04-05.

Malicious software includes 48 trojan(s), 36 exploit(s).


However, as shown in the video, this is nothing all that new…

For best results you’ll want to go to youtube or expand to fullscreen.

Fake eBay Security Shield Phishing Attack & Malware Ongoing Since November 2009

On April 1st, 2010 Red Condor Security blog published an alert regarding a phishing attack on ebaY, said to be hosting trojans and/or other executable malware on ebaY’s own servers.
Cappnonymous demonstrates the attack, and/or variant(s) thereof, has been ongoing since at least November 2009, and/or through more than one vector.

Pages/threads seen here:

Phishing Attack Posing as eBay Security Alert

Re: ebay procedural warning – Excuse Me ???

Malware showing up in eBay today JS:Pdfka-OE

Re: trojans on ebay site…beware (live page) results for :

AboutMe page used to host malicious download link

Properties of malicious/compromised AboutMe page

Virustotal results for :
from 11.08.2009 @ 15.22.23

Update, 05.26.2010

In case no one was paying attention, the file JS Pdfka-OE you see mentioned in the video as being a false positive by a pink has turned out to be a genuine exploit from the looks of things.

It now shows as malicious on half the major virus scanners via So anyone who took eb’s advice got owned.

Still, no announcement, no retraction, update, clarification… no nothing from eb?
I wonder why that is? After all, it’s only literally millions of people’s lives potentially ruined?

I can’t stress this enough, the file was and likely still is being hosted on ebay very own servers, along with the other ‘security shield’, which is still being found on about me pages.

Uploaded with


This could have been a follow-up to the last thing I posted here, but it is an entirely different incident, report, and item, thus deserving it’s own post.

Reported now today in

Hacker training sold on eBay
Development is further evidence of e-crime becoming mainstream
Tom Young, Computing 20 Sep 2007

“Hacker toolkits that used to be available only on hidden forums are now for sale on eBay, according to security vendor Tier-3.”

The article goes on to state:

‘High level hacking tools, including surreptitious trojan loaders and Web site hacking utilities, are being put into the hands of almost any internet user,’ he said.

We also see a response from ebay:

“We are satisfied that the presence of such an item on the US site is not commonplace, as although we have 100m listings live on the site globally at any one time, we are very effective at removing prohibiting items, often before the listing ends and any sale is completed,” said eBay in a statement.”

Please note that as of the time of this posting, the item linked in the original article and shown below is live. Apparently ebay does not mind these types of things being offered for sale on IT’s site.

I can only imagine what may happen when we have dozens if not hundreds of jimmy.cry90 s and or jimmy.cry@gmail s running around.


Full page view, resized creencapture. Click to enlarge in a new tab or window.

Paypal users at risk.

Sleazebay-Preypal Spokesperson Bagdad Bob

PayPal data stealing trojan and IcePack malware installer

PayRob.A is a Trojan designed to steal data from PayPal accounts. Like most Trojans, PayRob.A cannot spread by itself, but needs intervention from a malicious user to reach computers.

If the targeted user runs the file carrying PayRob.A, it gives itself hidden file attributes and modifies the Windows Registry to ensure it is run whenever the system is restarted.

The Trojan creates two files on the infected computer in the temporary Internet files folder and in C:\WINDOWS\MSAPPS\. If the latter folder is not found on the system, an error message is displayed.

It also copies a file called modeexpinovo.txt to the temporary Internet files folder. This text file stores all of the PayPal passwords that it finds on the affected system. This file can be accessed remotely by hackers from a certain Internet host. (continues)

Here is the overview from Pandasoftware.

This apparently is a new discovery. I find no mention of how long the exploit is thought to have been in the wild. All along we have seen reports mysterious & unusual PayPal related activity of all sorts, like this for instance. Further, who could forget the compromised accounts and clear evidence of massive leaks we saw on the Sicherheit forum recently. (before ebay attempted to make it all disappear) English translation page here     (the embedded youtube video you see in the German language screencap is from FireFox   browser  Greasemonkey extension VideoEmbed Script)

To be completely safe from things like this, the answer is obvious:

Avoid Paypal like the plague. Close your accounts, be sure to check with your banker and credit card issuer to secure your bank & credit card accounts. (Then find yourself a safe , reliable & honest payment service.)

I can guarantee one thing; when your account gets compromised, & your bank account gets cleaned out and/or your ID stolen, PayPal will wash IT’s hands and leave you in the cold.

Remember, PayPal has a HORRIBLE record when it come to the safety of it’s users, responsible disclosure, and user data leaks

True to form, rather than correct their problems, they try to bury them. In fact, let’s just wait and see how hard they try to bury this news.