Print
Close Window
From: www.itworld.com
Inside an eBay scam
September 18, 2006 —
It all started when I got a call from a client. He explained he had just won the bidding for a boat on eBay, but had not received the boat or any word from the seller in more than a week. He was starting to feel that he may have been scammed, and wanted to know if I could help. I don't usually get involved with this stuff, but sensing an interesting story, I agreed.
The story plays out in the usual way. My client had failed to use common sense, do any research or heed warning signs. The scammer listed a boat (a 2005 boat worth about sixty thousand dollars) on eBay with an ad that stated they would sell the boat to the first bidder willing to pay $5,900. They gave a story that said they were moving to Europe and needed the money to pay for the move. They explained that the "winner" must wire half of the money via Western Union and then release the other half upon delivery of the boat. My client said he talked to the seller on the phone after a couple of emails and that the gentleman was very nice and kept with the story.
Unfortunately, this is the number one scam on online auction sites, and a little basic research in eBay's forums would have revealed this. But, he checked neither the forums, nor became suspicious that the scammer wanted him to wire money or that the scammer was willing to sell a boat for one-tenth its current value. My client went to his bank and wired the full $5,900 to the scammer's bank in Thailand where the scammer had said he was vacationing before settling into his new European home. Needless to say, neither the bank in Thailand, nor eBay has been able to help my client get his money back. This is, what my father used to call, an "expensive class in common sense".
If that were the end of the story, it would barely be worth writing about. But, I used the patterns from the scam ad on eBay that my client had responded to, and found several other ads of a similar nature. I quickly made contact with the person whose account was used to post the ads, and the scammers in question. What I learned was very interesting. The scammers are working like this:
First, they do a simple phishing attack. They spam blast out phishing emails to mailing lists harvested from various locations around the net. These phishing attacks then lure eBay sellers to reveal their login and password information. Once, the scammers get that, they log in and gather as much information about the account holder as possible. Then they replicate, very closely, the information. For example, if the account holder has an email on AOL, say johndoe@aol.com, the scammers will open an email account johndoe2@aol.com. They use these email accounts as the basis for their fraudulent communications.
Once they have a pattern of communication in place, they immediately use the eBay account to place a number of high value items available for sale. Items like cars, boats, jet skis, ATVs, computers and high-end electronics. Each of these items encourages the interested buyers to use the alternative communications mechanisms to bid on the items. The ads usually claim that their eBay email is down, slow or not working. They encourage all buyers to communicate directly with them outside of eBay, even going so far as to threaten to cancel placed bids and leave negative feedback. Cleverly, they post these eBay ads using intensive HTML graphics and other obfuscating techniques to make spotting them harder for eBay and eBay's defensive systems.
After identifying a fraudulent set of ads, I made contact with both the legitimate owner of the account and the scammer who had hijacked it. I informed the owner of the fraud, and the potential means by which their account had been compromised. The owner immediately worked with eBay security to have their account credentials changed and to have the fraudulent postings removed. EBay was very helpful and even helped the owner of the account open a new one to make sure no more fraud would occur.
Finally, in my contact with the scammer, I attempted to portray myself as a potential buyer. I traced the email headers to a system in Thailand, though I think it may simply be a compromised system they had control over. If I had to guess, I would guess that they had compromised it via the recent VNC vulnerability. Before I could complete the sale, or get more information on the scammer, AOL shut down their account. They also seemed to have notified the owner in Thailand, as the system they were using to stage the emails is now offline.
I hope this gives you a feel for how some of these scams occur. It certainly sheds light on the idea that phishing is more than just a means to perform outright banking theft - attackers have adopted all kinds of uses that could lead to cash. At the end of the day though, the basic lesson here is still "if it sounds too good to be true, it probably is."
security.itworld.com