[byoung2]

There is a good chance that the person whose password is stolen uses that password on other sites. I guarantee you that if you steal enough usernames and passwords, you'll find a lot of people who use the same credentials for their email, bank, PayPal, etc. Actually, they just need your email, and from there they can reset your other passwords and click the confirm link once it goes to your email.

The financial incentives can vary...they can make fraudulent purchases, transfer money, steal domain names, hack sites, you name it.

EDIT: For a real-life example, when I worked at Internet Brands (makers of vBulletin), a hacker managed to obtain administrator passwords on sites we owned running vBulletin. He then used that administrator's account to install a plugin that gave him access to the whole user database. He then used that database to log into other sites we owned (it is possible to google a vBulletin username to see what other sites they are members of). Once he had admin access on a dozen or so sites, he added dupedb.com links to all of them.

[JessB]

So the end game would be to transfer money out of bank accounts and paypal? Is it really that easy to do. Seems like it would leave one hell of a trail.

Whats the end game in stealing domain names and hacking sites. There has got to be a financial motivator somewhere in the chain.

Thanks for the info.

[byoung2]

Whats the end game in stealing domain names and hacking sites. There has got to be a financial motivator somewhere in the chain.

In the case of the vBulletin hacks, the dozen or so sites hacked were all PR4 and above. The guess the idea there is that Google crawls these sites regularly, and it would find hundreds of inlinks to the hacker's site, giving him a boost in the rankings.

As far as PayPal and banks go, you're right, it would leave quite a trail if the hacker started sending money to his accounts from yours. Instead, the hacker might log into your PayPal account to get additional info, such as the billing address for each of your credit cards (easy to find under Profile>Credit Cards). He can log into your bank website to find the full credit card number or account numbers and routing numbers along with the billing address, and a nice history of purchases. It would be easy to disguise a fraudulent purchase by making it the same amount as a purchase you regularly make.