Anatomy of an eBay scam By Dan Goodin

Scrub · #1 03-25-07, 04:39 PM

Anatomy of an eBay scam

Fraudster put through the paces
By Dan Goodin in San Francisco → More by this author
Published Wednesday 21st March 2007 01:02 GMT
Research Papers- All papers free to download.

Fraudulent listings on eBay continue to pile up, and the online auctioneer appears to be incapable of proactively putting an end to them.

Since Friday, we've been typing "tour with a whore" into eBay's search engine (for purely research purposes, of course) and have been returned with dozens (in one case hundreds) of results featuring pornographic images. They are posted by established users with highly favorable feedback ratings - hallmarks of accounts that have been hijacked and then used to con unsuspecting buyers.

(eBay representatives stress the company's security department continuously snuffs out graft and that phony postings comprise a tiny percentage of overall listings.)

Some fraudulent auctions contain links that direct would-be buyers to spoofed sites that attempt to phish their eBay credentials. Others offer a special "buy-it-now" discount if the user contacts the seller via email. We wanted to know how these buy-it-now scams work, so we took the bait.

The auction we responded to advertised a rare Scotty Cameron Del Mar 3 golf putter. It was offered by a user with a 100-percent favorable score from 77 users, ensuring a trust level that is highly coveted by fraudsters. It is part of what eBay critics say is a rash of account take-overs over the past couple months.

What follows is a transcript of the email discussion that took place:

From: [Reg. Reporter]
To: [eBay scammer at Compuserv address]
Subject: golf putter
Date: Mar 6, 2007 3:48 PM

Hi,

I noticed a golf putter was for sale on eBay yesterday. I also noticed you used this email address, which is in violation of eBay rules. May I ask why you used this email address instead of going through official eBay channels?

Kind regards,

From: [eBay scammer]
To: [Reg reporter]
Subject: Re: golf putter
Date: Mar 6, 2007 3:54 PM

I use this address because the ebay email address is blocked....i have the golf putter now also...if you are interested make me an offer and we can discuss about it.Thank you.

From: [Reg. Reporter]
To: [eBay scammer]
Date: Mar 6, 2007 4:24 PM

Hey thanks for your reply. How can I verify that you are the true owner of the eBay account you posted under?

From [eBay scammer]
To: [Reg reporter]
Date: Mar 6, 2007 4:26 PM

I can respond you from my son's ebay account if you like and you will see that i am a legit seller....but the transaction is made under ebay protection...you will receive an insurance about your purchase from ebay...that if you are really interested in buying.

From: [Reg. Reporter]
To: [eBay scammer]
Date: Mar 6, 2007 4:34 PM

I am very interested. What is your son's email address? And what has happened in the past 24 hours that prevents you from accessing your account?

From: [eBay scammer]
To: [Reg reporter]
Date: Mar 6, 2007 4:49 PM

A third party user accesed my account and now is suspended by ebay untill some investigations are made.My son's user is evboom18. He can be contacted on his ebay email..... I want to use eBay like a third party to complete this transaction. I am not so good to explanations but I will try to tell you in few words how the process works. 1) First you have to send me your shipping informations:
First and Last Name:
Address:
City:
State:
Zip:
Country:
The model that you want to buy:

2) They will contact you with all transaction details and invoice.

3) You will make the payment to one of their agents like is stated in the invoice.

4) You send the payment details to eBay representaive and they secure your funds.

5) After that they will contact me to start the shipping.

6) I will send you the product and give you the tracking number.

7) After you will receive and inspect the product you give them your approval to release the money to me.

Let me know if you understand how it works and if you are agree to proceed please let me know asap.

From: [Reg. Reporter]
To: [eBay scammer]
Date: Mar 6, 2007 5:12 PM

[name deleted]
[address deleted]
San Francisco, CA 94110
USA

TOUR CAMERON CIRCLE T DEL MAR 3

Thank you.

From: [eBay scammer]
To: [Reg reporter]
Date: Mar 6, 2007 5:19 PM

Please tell me also the price that you are willing to offer on the unit.Thank you

From: [Reg. Reporter]
To: [eBay scammer]
Date: Mar 6, 2007 5:27 PM

$100?

From: [eBay scammer]
To: [Reg reporter]
Date: Mar 6, 2007 5:42 PM

Sorry the amount is to little....only 100$??You can find a putter like this on ebay for 900$ and mine has also a certificate of authenticity.Please make me a better offer.

From: [Reg. Reporter]
To: [eBay scammer]
Date: Mar 6, 2007 5:50 PM

Well, you can't blame a guy for trying. How about $600?

From: [eBay scammer]
To: [Reg reporter]
Date: Mar 6, 2007 5:52 PM

That's more acceptable....I will send the info to eBay and they will contact you with an invoice.you will see there in the invoice step by step how to complete this purchase

To: [Reg reporter]
From: aw-confirm@ebay.com [spoofed]
Subject: Congratulations-eBay Transaction Started
Date: Mar 6, 2007 5:58 PM

Hello [Reg reporter]
eBay transaction starting
Current status: Payment pending. Purchase protection is granted. The following item is protected in this eBay transaction:

Remainder deleted. Email, which contains authentic-looking eBay logo, provides details on how to send payment via Western Union.

From: [eBay scammer]
To: [Reg reporter]
Date: Mar 6, 2007 6:09 PM

Did you received the invoice from ebay?because i have my copy already.....please check your junk folder also,because you might receive it there...mail me after you read it....thanks

From: [eBay scammer at new Compuserv address]
To: [Reg. reporter]
Subject: email problems
Date: Mar 7, 2007 2:22 AM

Hi,

I am having some problems with my account w3bstars@cs.com....please write me here if we are ok with the transaction and if you have received the insurance from ebay.

Regards,
Stanley

From: [Reg. Reporter]
To: [eBay scammer]
Date: Mar 7, 2007 3:32 PM

Stanley,

Are you sure you're not a fraud? Requiring a money transfer is against eBay terms of service. What's your phone number so I can call you?

From: [eBay scammer at new Compuserv address]
To: [Reg. reporter]
Subject: email problems
Date: Mar 7, 2007 7:07 PM

I'm located in Italy with some business but this will not be a problem because I left the item there in US in eBay custody and they will deliver it as soon as you will complete the payment.I also already paid the shipping fees.I'm really sorry but I cannot use my paypal account because I'm in a middle of a divorce with my wife and I cannot use any of my accounts until the end of the divorce.That's why I used to make this deal through eBay under their protection and that's why eBay used for the payment WesternUnion.So..all you have to do is to go in person at any WesternUnion office with the cash in hand to depossit the money on my correct name and address and then to contact me with the following infos:

From: [eBay scammer at new Compuserv address]
To: [Reg. reporter]
Subject: email problems
Date: Mar 7, 2007 7:28 PM

I am not a fraud and i use the trading-asistants for the safety of my units and the buyers money.If you have any questions you can mail them at trading-asistants@europe.com.Thank you.

Regards,
Stanley

From: [eBay scammer at new Compuserv address]
To: [Reg. reporter]
Subject: email problems
Date: Mar 7, 2007 7:57 PM

I have already told you that i am in Italy and i don't have a phone number right now....i will try to call you instead when i will be able to call in the US....we can communicate through emails if this is not a problem for you. I had a family because now i am in the middle of the divorce, 2 kids, that means I would not risk anything to put them in danger or something like that for that kind of money, I have a career, I am a person of honor and a serious seller and I don't see any reason for not respecting you as I did with the other customers, Why should I be different with you ??? It makes no sense... I earned my money through hard work in this life and I don't force you to do anything that you won't like, at this price I can find easy another customer. I can guarantee you that you will be more than satisfied and be sure we will do more business in the future. I won't risk my career, my freedom and my future for anything in the world!!!

From: [Reg. Reporter]
To: [eBay scammer]
Date: Mar 8, 2007 9:58 AM

May I speak to one of your many clients? How do I know that your name is real? How do I know that your business is real? You are just some person online. Simply saying you are for real does not make it so. If you owe $49 for one CompuServe email address, how is it that you are able to use this second address? And what exactly does Usrcs stand for?

From: [eBay scammer]
To: [Reg. reporter]
Subject: email problems
Date: Mar 7, 2007 12:16 PM

I think that you may speak to another client of mine...i will give you some clients email addresses:[deleted]@gmail.com,[deleted]@hotmail.com, [deleted]@yahoo.com, [deleted]@mail.com My name is real because if you send me the money on my name i have to have some id , to pick up the money and someone will check when picking up the money that is really me the one who is withdrawing them.This second email address is another master address, not the same with my last email address.

I have explinaid you two emails before why ebay accepted me to use Western Union.I left the item there in US in eBay custody and they will deliver it as soon as you will complete the payment.I also already paid the shipping fees.I'm really sorry but I cannot use my paypal account because I'm in a middle of a divorce with my wife and I cannot use any of my accounts until the end of the divorce.That's why I used to make this deal through eBay under their protection and that's why eBay allowed me to use WesternUnion for the payment. I hope that this clears things up and we can move on with this transaction.

Regards,
Stanley

From: [Reg. Reporter]
To: [eBay scammer]
Date: Mar 8, 2007 1:39 PM

Hello?

From: [eBay scammer]
To: [Reg. reporter]
Subject: email problems
Date: Mar 7, 2007 3:49 PM

Yes....i have respomded to all your question and i have sent you some emails of my clients....what else do you want me to do?

From: [eBay scammer] To: [Reg reporter] Subject: Re: email problems Date: Mar 8, 2007 2:21 AM

I don't know what to do to prove you that i am real...but you got an insurance from ebay about your purchase you have my name,my address.I'm running a business for 15 years. I have my soul very clean. I made a lot of clients in this way. they respect me and I respect them. I'm living from this business. I'm not permitting to myself to lose my clients or lose my liberty for 600$.My previous email was not deleted i just have some problems with it and my ebay account is suspended due to a third party intrusion. Thank you.

Regards,
Stanley

From: [Reg. Reporter]
To: [eBay scammer]
Date: Mar 8, 2007 2:54 PM

Would you give the the address of someone at ebay.com I can contact for confirmation? I'm very interested.

From: [eBay scammer]
To: [Reg reporter]
Date: Mar 8 3:53 PM

I have already told you that the trading asistants work for ebay and if you check on ebay.com that are many trading asistants working to smooth the transactions...so if you want someone from ebay.com contact trading-asistants@europe.com.

Regards,
Stanley

From: [Reg. Reporter]
Date: Mar 8, 2007 4:42 PM

Thank you for your continued patience and support. I'd like to speak to someone with an @ebay.com address, please. Why is this not possible?

From: [eBay scammer]
To: [Reg reporter]
Date: Mar 8, 2007 4:44 PM

Ok....i will talk to someone at from ebay to tell you that i am a legit seller and the transaction is made under their protection.

From: aw-confirm@ebay.com [spoofed]
To: [Reg reporter]
Subject: eBay Security&Resolution center
Date: Mar 8, 2007 5:14 PM

We have been informed from our seller, Stanley Jones that you didn't trust the eBay insurance received and you wanted someone from our security department to contact you in order to assure you that he is a legit seller and the transaction will work out just fine.

[remainder deleted]

From: [Reg reporter]
To: aw-confirm@ebay.com
Subject: Re: eBay Security&Resolution center
Date: Mar 8, 2007 6:50 PM

Hi,

Can you please tell me if this is for real?

Forwards spoofed eBay email. Note: there was no response from eBay.

From: aw-confirm@ebay.com [spoofed]
To: [Reg reporter]
Subject: eBay Security&Resolution center
Date: Mar 8, 2007 7:02 PM

As we stated before you have nothing to worry about the transaction with our seller, Stanley Jones.The unit is in custody of ebay and we will start shipping as soon as the payment is confirmed.

[Remainder deleted.]

From: [eBay scammer]
To: [Reg reporter]
Date: Mar 8, 2007 7:23 PM

eBay contacted me and told me that you should write your questions to the trading asistants also because they are paid for this job and should answer you. The aw-confirm@ebay.com address is receiving thousands messages per minute and they can't stay and answer everybody that have a question , and another question and another question, they have more important mails and that's why the trading asistants are hired and payed to do this job.Thank you.

Â®

Scrub · #2 03-25-07, 04:47 PM

Man hijacks 90 eBay accounts

Lax security, careless users
By Dan Goodin in San Francisco → More by this author
Published Wednesday 21st March 2007 21:24 GMT
Research library - All papers free to download.

An Australian man pleaded guilty to breaking into eBay and a local bank to steal AU$42,000 (about $34,000), in a case that demonstrates the problem of account takeovers on the auction site.

Dov Tenenboim, 21, of the Sydney suburb of North Bondi, stood accused of breaking into at least 90 different eBay seller accounts last year, mostly by guessing passwords. Tenenboim frequently figured out the credentials by matching usernames to passwords, prosecutors said. Other times he hacked into email accounts.

Why businesses need business continuity

So the worst happens: are you prepared?

The Register's Martin Banks has written a white paper on Business Continuity and implementation strategies, which we trust you will find useful.

Download the report

Following a familiar route, Tenenboim targeted users with highly favorable feedback ratings from their eBay peers. Posting under the guise of a trusted user with an established account makes it easier to dupe buyers.

After hacking the accounts, Tenenboim used them to advertise non-existent iPods, according to the Sydney Morning Herald. He also hacked into the Commonwealth Bank. He pleaded guilty to two counts of making a false statement to obtain money, two counts of obtaining money by deception and four counts of committing an unauthorized computer function. Tenenboim faces a maximum of 11 years in jail and fines of $9,900.

Account takeovers have been a persistent problem on eBay. Over the past several weeks, we've observed hundreds of fraudulent auctions being offered by users with unblemished records. Such hijackings are on the rise, according to a small but vocal group of eBay users, who also claim the breaches are the result of an unpatched security hole in the company's defenses.

eBay strongly denies such a hole and says the takeovers are the result of users having their log-in credentials snatched through lax passwords and phishing attacks. Tenenboim's methods appear consistent with such statements.

But eBay can't be let off the hook completely. The company employs lax password requirements that, for instance, allow a user ID of james34231 and a password of james 34. (To be fair, Google Mail allowed the same combination, though the site warned it was only "fair.")

What's more, eBay, like the vast majority of online services, has no mechanism in place to allow account holders to log in using security keys that generate random numbers every minute or so. Such devices would render most current password attack methods ineffective.

eBay has said it is in the early stages of testing such a system for its PayPal users, and a spokeswoman says the key will also work on eBay. Â®

Thread Tools
Show Printable Version Email this Page
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread: