eBay Fraud Scams exposed

…another day another eBay Auction seller compromised.

Same scammer. Just a different hijacked seller.

Looks like our scammer boy switched email addresses, now he is scamming eBay buyers under esale92@gmail.com

eBay lets this scammer fleece unsuspecting eBay buyers daily. Here is a screenshot of the 176 scam eBay auction listings uploaded to poor hijacked eBay seller from Mexico and sample screenshots of some of the scam fraud auctions on eBay:

• McIntosh MC252 Amplifier 250×2 500×1 Scam Auction Listing
• McIntosh MC275 MC-275 TUBE Power Amplifier Scame Fake Ebay Auction
• All Original McIntosh MC240 Excellent Working Condition SCAM FAKE AUCTION ON EBAY

The complete list of the scam items will be added to our frequently scammed eBay Listings items list.

Update 4-24-2008: the scammer is busy at work as usual, running circles around eBay security, unfortunately. A quick check this morning finds a

freshly hijacked eBay seller in Spain with over 150 Scam Ebay fraud auctions. Here is a screenshot of the Scam on eBay: Dale Chavez Western Show Saddle.

Beware of buying high end items on eBay!

And the same fellow also hijacked many other sellers right now, another quick check on the list of this scammers items he posted on eBay Auctions previously shows this hacked eBay seller account in Australia with another set of fake eBay auctions, like this Brother Innovis 4000D auction with another scam free email address to lure unsuspecting newbie eBay buyers gmkie1980@gmail.com

Update 4-25-2008 : yet another email address same scammer hijacked another seller, this is just a spot check at a random time, the scammer is now also using this image asking eBay victims to email him to ele322@gmail.com. Here is a screenshot of the scamsters image he inserts into those fake auctions.

We are tracking this one scammer for years now. He must be one of the real slow learners because he is so easy to spot and track. According to scammer’s own admission there are hundreds of them on eBay making living daily. He is just one of the army. We’ve been tracking this guy since 2005 and he’s still scamming like there’s no tommorow. Just now he has uploaded over 2500 FAKE SCAM AUCTIONS on a single hijacked eBay seller account - notice on that linked screenshot, the number of scam auctions is just 1178 scam high end auctions. By the time we took inventory of the listings, the total number of auctions this eBay scammer uploaded was 2663 scam auctions on a single hijacked seller account. They are the typical email me to my gmail/aol/hotmail/msn disposable email address for buy it now (off eBay) deal of a lifetime now. Here is a screenshot of one of the 2663 scam eBay auctions this scammer uploaded on that poor hijacked seller’s account tonight. One of his many disposable email addresses is biz.kastor@gmail.com with a history of hijacking other accounts on eBay and tracked by others. But wait, that’s not this scammers only email address, he operates with many, after all he is a professional eBay scammer and makes a decent living even for US standards doing this. He is also known as trevor023@gmail.com with a a full blown photo album to faciliate his eBay scams and quick check on eBay located 2 different sellers hijacked with this scammers email address published: hijacked seller stein**** with fake eBay Roland Phantom X8 with case scam auction and the same hijacker breaking into the account of eBay seller in Australia with a scam auction for 2 Pioneer CDJ-1000 MK3 CD Players with contact email address trevor023@gmail.com and another seller in US hijacked by the same scammer trevor023@gmail.com with the same 2 Pioneer CDJ-1000 MK3 CD Player - SCAM-O-RAMA on eBay. These auctions have been running for a while, see the link - this is a 5 day auction with 5 hours to go… so much for eBay taking these scam auctions down quickly….. and these auctions have plenty of victims (aka newbie buyers on eBay). By coincidence or by design another seller hijacked in France with an item from this sellers repertoire, this eBay auction title says in French LISTING NOT VALID - IDENTITY HIJACKED and the auctions advertises email address gigi_pizdulici99@yahoo.com .

The current list of items of this eBay Hacker / Scammer / Phisher is quite extensive, we are going to publish it here so in case you are shopping for one of these items, please be extra cautious.

Here is a list of items this scammer is currently uploading daily to several hijacked eBay seller accounts

The perplexing question is: if we can find and track this eBay scammer on eBay so easily and consistently without any resources or priviledged security tools, why does not a multi billion dollar company ( eBay ) care enough to squash this scammer? Do they not care about safety of eBay customers? Or are there just too many eBay scammers and the fraud is so wide-spread through eBay that eBay team of over 2000 fraud prevention staff just cannot keep up?

Finally a step in the right direction! eBay appears to be catching up with the 20th Century - kudos anyway. Today’s announcement is truly a music to our ears:

April 14, 2008 | 11:45AM PST/PT

John Canfield
Hello…I’m John Canfield, Senior Director for Trust & Safety policy management. My team specializes in working to keep the site safe and protected against fraud. Much of the company’s work around safety happens behind the scenes, but some of our efforts are also public-facing. Masking and protecting our Community’s identities on all bidder IDs on auction-style listings, the PayPal Security Key, our work with Yahoo and other domains to block email from unauthenticated addresses, and encouraging safer payments – each of these address a particular aspect of security and is making a dramatic difference in the overall security and safety of the marketplace and consumers’ confidence in shopping online. Our technologies – those that exist today, as well as those that we are designing for tomorrow – are helping to make the internet safer every day.
I’d like to tell you about a new safety initiative that launches on April 14th.

Trusted Selling with Identity Confirmation
One of the ways criminals attempt to defraud people on eBay is by gaining access to member accounts with well-established reputations which they then use to set up listings in that person’s name. They gain this access often through a phishing email that convinces an unsuspecting member to click a link and enter their User ID and password.

To protect the Community against this type of fraud, beginning today, eBay will start noting which computers members typically use to conduct their buying and selling activity. After our data collection phase, sometime in June eBay will begin verifying our sellers when they list an item to ensure they are logging in from the same machines they have successfully used previously – usually a home or business computer.

If you are a seller, and you attempt to list an item from a different computer – for example, from a PC you are borrowing in a hotel or library – eBay will make an automated call to the phone number you have registered with us to confirm it is really you. We may also prompt you to verify your identity in other ways.

Initially, this identity confirmation process will only be applied to selling, although we may be extending this to other high-visibility activity in the future.

Sellers, please update your registered phone numbers
Now more than ever, having a current phone number on file with eBay is vital to the safety of the Community and to your business. A wrong or outdated phone number may delay your ability to list items or respond to your customers, if eBay cannot verify your identity.

Have a cell phone? Registering it could save you time and money
If you carry a mobile phone, we encourage you to add this number as a secondary phone number in your registration details, so that we can reach you when you are away from your business or residence where you normally use your trusted computer

source: http://www2.ebay.com/aw/core/200804.shtml#2008-04-14114255

I just have one question for John:

Knowing this is in place. Won’t the scammers/hijackers first change the phone number on the record, then wait a day or so, then list … so the phone authentication would end up in the lap of the hijacker?

… or does phone number change from a DIFFERENT than usual computer also trigger phone or additional verification? … I hope some multi level logic exists on this.

Update 4-19-2008: My question and few others were answered here: eBay Chatter
This change could not come fast enough, hopefully our steady Romanian Hacker will then be stopped from hijacking eBay seller accounts daily and publishing fake auctions, just like he has hijacked another eBay seller right now and publishing those typical high end scam auctions on eBay as we write this.

These past few days our real life projects took us away from time usually needed to monitor eBay fraud auction, hence the silence.

Spot check this morning shows we have the usual scammers running circles around eBay.

Another day on eBay…
…another (few hundred) eBay powersellers hijacked …
…another few thousand fake auctions by professional eBay scammers who are so amateurish even we can find them with minimal tools like a rss feed that picks the usual scam phrases, scam items, scammer’s email addresses etc..

Here is the latest eBay powerseller with almost 1000 feedbacks, nice lingerie store being hacked right now with the usual assortment of fake auctions.

This eBay scammer’s latest signature tag line is:
As i take this auction very seriously i want to speak personally with every interested buyer who’s ready to make the deal of the year. I will sell it only to a serious person,just after i’ll talk with him via e-mail. Questions about condition,more pics, shipping; Contact me at :
Markosshopp@aol.com

here is this eBay Scammer’s and other scammers’ list of fake eBay auction items they love to offer to their eBay victims at a fabulous once in a lifetime deal prices

One has to ponder:

• If we can find those scammers so easily with zero access to anything proprietory, just public RSS tools, why the heck is eBay not finding them and preventing them from fleecing unsuspecting buyers ?
• eBay boasts 5 Billion Dollars in surplus cash: why won’t eBay invest teeny tiny minute fraction of it into improving security on their site ?
• When questioned about the ongoing security issues where massive numbers of users logins and passwords are already compromised and in hands of hackers resulting in vast numbers of fake auctions on eBay, eBay always claims that’s not a problem. Why? What does eBay have to gain by letting fraud rampant on it’s site?
  

It’s in hundreds of thousands. Monitoring this single eBay hijacker, just spot checking every so often, we always find him hijacking one or more eBay accounts…. seems as though the hijacker has unlimited supply of accounts. The same hijacker who has 4 eBay seller accounts hijacked a couple days ago, is currenly uploading the scam auctions to the PowerSeller account alliedweighing ( 260 Feedback score) , here is a screenshot of the usual scam auctions on ebay this hijacker uploads to compromised seller accounts,

hijacked powerseller alliedweighing by jnestoc@aol.com on eBay

Pioneer CDJ-1000 MK3 CD Players & 1 DJM-800 Mixer:: fake auction on eBay

this minute appearing on « hijacked powerseller alliedweighing and here is a screenshot of the the scammer’s auction: , asking eBay buyers to contact him at freshly baked free email address:

Scammer’s signature line on each fake auction —>Please contact me before you bid for buy it now and the rest of the transaction details: jnestoc@aol.com

The hijacked Powerseller alliedweighing is not one of the thousands hijacked eBay accounts on the list published earlier by another Blogger few days ago, so these hijacked eBay account most come from yet another multitude of stashes of compromised eBay logins and passwords.

This Blogger published list of thousands compromised eBay user logins and passwords that was found online for anyone to see. Go to their blog and you can check if your eBay Login has been hacked. To find the database with hacked logins, just scroll down in the list of posts, find March 15th posts and jump in to the sections that are presented alphabetically with groups of compromised eBay IDs.

We have saved the complete list so if iBay manages to threaten the blog owner into deleting those pages we can republish so the victims of UNSAFE eBay can protect themselves. Shame on eBay.

While eBay refuses to secure it’s own site the professional hackers continue posting XSS flash auctions which will extract your eBay login and password : directly on eBay site if your browser has flash and javascript enabled. So once your login and password gets into hands of professional hackers, what happens next? Your eBay login will get used in the following manner: If you have selling enabled on your eBay account, the hacker will then login as you and post a bunch of fake auctions, requesting unsuspecting buyers to contact him at some gmail/hotmail/aol/msn or other free disposable email address. Those auctions will be for expensive high end item which normally sells for high dollar value and the scammer will offer this item for about 30% of going rate.

Here is an example of such hijacked seller account auction with all tell-tell signs that the poor eBayer has been phished and now instead of book listings you see scammers repertoire of high end items asking you to email him to his gmail address so you can have those items for only $1000… let’s take a look at this Apple MacBook Pro listed in Books/Antiquarian Category on eBay on Hijacked / Phished PowerSeller account from Germany

There are currently 83 fake scam auctions listed on this Hijacked Seller account on eBay - see link to the hijacked seller auctions by hacker on this hacked eBay account : ebay-seller-ensabel-antiquarian-collectible-dvd-hd-dvd-blu-ray-items-on-ebay.gif

Once buyers contact the scammer in his gmail address, the scammer will tell them some story why he is giving away the expensive item at such a low price, divorce, tuition, cousin works at the factory…. and will ask the victim for their ebay login name, full name and address so he can prepare a fake eBay invoice and email this fake invoice with eBay logos pretending this invoice came directly from eBay, recommending a wire transfer cash payment to Romania or Spain or UK as a safe method, assuring satisfaction guarantee and free shipping.  If the buyer/victim wires the money, they will never hear from the scammer again.  Bu this time the hijacked seller already discovered his account login and password have been compromised, reported it to eBay, eBay will remove the auction (check it out:  when you try to access the auction we have provided screen shot - here is a link to eBay listing:  you will find that it was removed, this makes it impossible for a victim to document to the law enforcement such auction even existed or that the auction was on a credible eBay seller account with good feedback …..eBay will then  pretend this scam never happened on it’s site.  If the victim who wired the money comes seeking assistance from eBay, eBay will not offer any, as there was no auction and the instructions that the victim received, although they looked like official eBay invoice with eBay payment instructions, they were just a fake invoice cleverly constructed to look like eBay sent it.

According to Spiegel article from yesterday translated by Google

eBay is aware that professional hackers are harvesting your eBay user infornation including your eBay username, password, bank info, partial credit card number and expiration date as well as your secret question. eBay has been made aware of this issue by one of it’s users faller-internet.de who describes the eBay flash XSS vulnerability in detail here

Each logged-in eBay member, on who’s computer the Flash plugin is installed, and who has allowed JavaScript, can become victim of this security vulnerability. The test showed that data scripting is possible completely unrecognized by the victim. And so the view into the personal sphere of „My eBay” works:
The criminal lists a rather prominent item on eBay, with a specially prepared Flash animation embedded into the item description. If a logged-in user visits this page his browser loads the malicious code of the scammer. This contains JavaScript which sends the eBay cookies of the user to the criminal. This import of external codes is already known since years as Cross Site Scripting (XSS).
As the Flash file is executed only on the computer of the victim user, eBay is unable to check the listing on prohibited JavaScript executables. eBay members can protect theirselves by generally disabling JavaScript in their browser, however, in that case the use of normal eBay pages is heavily influenced, important functions will not work without JavaScript

Here are the screenshots from Spiegel when Spiegel employee went to eBay :

This is how your private and financial information gets extracted by hackers by simply accessing some auctions on eBay (click thumbnail to see full size image)

1. EBay Home: A SPIEGEL ONLINE employee logs with his eBay account, then continues
2. … For the demonstration of the vulnerability of prepared Auction Site eBay. Here is a flash element of an external server embedded - not recognizable with naked eye, this flash element extracts your private information. This element is embedded flash …
3. … Reads personal data of the user logged into eBay, worse yet: It tries to pass on this user data via this vulnerability to a real looking page login dialog on hackers’ server.
4. … It ceases only when the page information is retrieved: Whatever it enters the login credentials into the fake eBay login form, it then sends the login info to the to an external (hacker’s) server. There could …
5. … Cyber-crooks extract data from the visitors browsing its auction site and manage bidders: eBay login name and password of bidders and all (even visitors to the auction site, who have not bid, but were logged!) The e-mail address, List of search-favourites, the address and the name of the subject - the ideal material for perfect phishing emails to use… Look at the screen shot: it offers glimpse of your login, password , eBay secret question, banking and credit card info.

eBay spokeswoman Maike Fuest was quoted in the Spiegle Article: “It is possible, on active content such as Flash and Javascript in auction descriptions to have a malicious content.” …
EBay allows sellers only a limited active flash contentWhy then eBay permits such dangerous content is it’s auctions and listings?

Fuest: “That would contradict eBay culture. We want our vendors to have a certin creative freedom in the design of their auctions” “EBay uses a different way to reduce the risk of malicious content in active listings. Since September 2005, only some, especially those active trusted members are allowed this content in their item descriptions. ”

It appears that user security is second to profiteering on eBay. Although eBay has been aware of this vulnerability on their own site for months now, eBay spokespeople reiterate eBay’s management position that giving a vendor a freedom to publish razzle dazzle flash auction is more important that few thousand or tens of thousands? of user logins , confidential financial information and credentials being phished out by cyber criminals directly on eBay site in it’s listings. This is a clear example of eBay placing it’s own profits over user safety. eBay knowingly allows phishing attacks by eBay hackers directly on their own auction listings. eBay users credentials are being offered by eBay to the hackers so eBay’s vendor auctions will look flashier so eBay can collect more fees for sold items.

REFERENCES:

• AuctionBytes Article published today: Watchdog Group Gives Live Demo of eBay Security Vulnerability
  By Ina & David Steiner
• Speigel Online Article original Text in German
  
• falle-internet.de Original article exposing eBay’s XSS flash vulnerability: My view into „your eBay” - the eBay XSS flash exploit.
• German Forum where users report Hijacked Seller account real time, so if you wanted to see some sellers currently being phished and fake auctions published on their Seller Accounts, take a look here.

Nekkid Truth published this article :

EBay users crying out for better security

This is a good proposal… go read it! What do you think? Will eBay embrace or ignore the proposal? It was emailed to all powers at be that are in charge of Trust & Safety for eBay.