PayIvy Caught Selling Stolen Credentials

On May 6th, Krebs on Security broke the news that digital goods selling platform, PayIvy, is being used to openly sell stolen login credentials.

PayIvy does offer a necessary service – facilitating transactions for digital goods. They don’t make money off the sale of goods, but do offer premium accounts to users that lets them track sales.

But what makes it suspicious is that there are no open storefronts. Sellers have an obscure URL and must advertise the sales on 3rd party sites like Reddit. What’s available on the site? Bulk user credentials for media sites like Hulu, Spotify, DirecTV and HBO Go, gaming accounts for Xbox Live, Origin, Steam, and PlayStation Network, as well as software keys to popular programs from Microsoft and Adobe.

The selling of one’s own account is a legal grey area, but there is a market value for accumulated Achievement points that are connected with Xbox Live accounts or to in-game points and currency. But what would be the reason to sell your own Netflix account? Let alone sell them in bulk? The answer is simply to use a service paid for by someone else.

Netflix accounts were available, and up until recently, PayIvy site owner pushed back against attempts to shut down the sales of such accounts, but as of this week, users have been notified and the PayIvy website has a banner across the top advising users that Netflix account credential sales are no longer permitted and must be removed by May 15th or they will be removed.

While there are many market places for digital credentials, this is among the first to be so openly available and take not just crypto currencies like BitCoin but PayPal, regarded as one of the most well-known digital payment methods. Bad enough that stolen credentials are available so easily but having PayPal be a payment option gives these activities the air of legitimacy. What else can you buy with a PayPal account on PayIvy? Stolen PayPal accounts.

That the accounts with working payment methods are stolen in mass speaks to the incredibly high demand for them. And besides access to the purchased account, as has been demonstrated again and again, one login and password combo can be what helps gain access to all of a person’s login credentials.

It hammers the point home that passwords are simply not enough. So long as the market for stolen credentials remains in place, account takeover protection needs the strength of user-based behavioral analytics behind it.