eBay Fraud Scams exposed

eBay scammers who hijack legitimate seller accounts use a disposable email address at a free email provider to lure eBay shoppers into off eBay transaction. eBay has announced that for safety reasons email addresses will no longer be allowed in eBay listing descriptions starting in September 2008. That’s a step in the right direction! After all, each eBay listing has contact the seller button that is built by eBay into the listing format so showing email address is redundant and unsafe. I am not sure how eBay will tackle a listing like this, where the scammer creates a large JPG or GIF image and places the text as well as email address onto this image and makes that image part of the auction.

This image comes from fake scam auction for Canon 600mm f 4 is L,Canon 300mm f 2.8 is L, … hopefully by the time you read this article, the eBay auction has been canceled so we have saved a screenshot of this fake eBay auction on a hijacked eBay seller account on our server.

If you look at our hijacked eBay sellers section, you will find screenshots of hundreds fake auctions on hijacked eBay seller accounts, they all have one thing in common: very prominent free email address in the listing urging the unsuspecting buyer to contact the ’seller’ at that free email address.

eBay has certainly improved on taking down fake scam auctions that appear on hijacked eBay seller accounts, duping eBay newbie buyers into thinking they are safe on eBay buying from an established seller with a high feedback. However such auctions are still abundant, so be careful, do not trust eBay. Scammer can upload his scam image directly into eBay servers, such as this image uploaded in FEBRUARY of this year and eBay will gladly host it for the scammer for months after any listing it was uploaded for expired so the scammer can reuse it. This scam email address Qveste@aol.com is a known eBay account hijacker and scammer. He just hijacked another Powerseller Seller: hs***uid (6144Feedback score is 5,000 to 9,999) Member:since Jan-25-99 in United States and uploaded fake eBay scam BOSE Lifestyle 48 Media Center DVD + 10 Bose Speakers auction.

That same scammer with Qveste@Aol.com email address usually runs many auctions on MANY HIJACKED SELLERS at the same time. Here is another hijacked eBay seller : Seller: janet***99 ( 2249Feedback score is 1000 to 4,999) Feedback: 99.0 % Positive
Member: since Dec-02-99 in United States and you can see a screenshot of the scam eBay auction for 2 Pioneer CDJ-1000 MK3 CD Players + 1 DJM-800 Mixer on this hijacked seller account with thousands of feedbacks.

This scammer using jameswittt@gmail.com email address hijacked another eBay seller Seller: me***74( 164) Feedback: 100 % Positive Member: since Apr-21-03 in United States and uploaded scam eBay auction for Roland Fantom X8 Sampling Workstation Keyboard 88 Keys

Quick check this morning finds many eBay sellers and powersellers hijacked and fake auctions uploaded to their accounts:
Like this eBay seller where scammer uploaded bunch of fake auctions, like this scam auction on eBay Marantz reference series MA9-S2 with a typical scammers image inviting the unsuspecting eBay victims to email the scammer to a disposable email address andresler299@gmail.com

Another hijacked eBay seller victim of this scammer advertising fake auction for Panasonic AG-DVX100B 3-CCD Mini-DV Cinema Video inviting eBay victims of this scam to email him to a disposable email address at jhatch2@gmail.com

…another day another eBay Auction seller compromised.

Same scammer. Just a different hijacked seller.

Looks like our scammer boy switched email addresses, now he is scamming eBay buyers under esale92@gmail.com

eBay lets this scammer fleece unsuspecting eBay buyers daily. Here is a screenshot of the 176 scam eBay auction listings uploaded to poor hijacked eBay seller from Mexico and sample screenshots of some of the scam fraud auctions on eBay:

• McIntosh MC252 Amplifier 250×2 500×1 Scam Auction Listing
• McIntosh MC275 MC-275 TUBE Power Amplifier Scame Fake Ebay Auction
• All Original McIntosh MC240 Excellent Working Condition SCAM FAKE AUCTION ON EBAY

The complete list of the scam items will be added to our frequently scammed eBay Listings items list.

Update 4-24-2008: the scammer is busy at work as usual, running circles around eBay security, unfortunately. A quick check this morning finds a

freshly hijacked eBay seller in Spain with over 150 Scam Ebay fraud auctions. Here is a screenshot of the Scam on eBay: Dale Chavez Western Show Saddle.

Beware of buying high end items on eBay!

And the same fellow also hijacked many other sellers right now, another quick check on the list of this scammers items he posted on eBay Auctions previously shows this hacked eBay seller account in Australia with another set of fake eBay auctions, like this Brother Innovis 4000D auction with another scam free email address to lure unsuspecting newbie eBay buyers gmkie1980@gmail.com

Update 4-25-2008 : yet another email address same scammer hijacked another seller, this is just a spot check at a random time, the scammer is now also using this image asking eBay victims to email him to ele322@gmail.com. Here is a screenshot of the scamsters image he inserts into those fake auctions.

We are tracking this one scammer for years now. He must be one of the real slow learners because he is so easy to spot and track. According to scammer’s own admission there are hundreds of them on eBay making living daily. He is just one of the army. We’ve been tracking this guy since 2005 and he’s still scamming like there’s no tommorow. Just now he has uploaded over 2500 FAKE SCAM AUCTIONS on a single hijacked eBay seller account - notice on that linked screenshot, the number of scam auctions is just 1178 scam high end auctions. By the time we took inventory of the listings, the total number of auctions this eBay scammer uploaded was 2663 scam auctions on a single hijacked seller account. They are the typical email me to my gmail/aol/hotmail/msn disposable email address for buy it now (off eBay) deal of a lifetime now. Here is a screenshot of one of the 2663 scam eBay auctions this scammer uploaded on that poor hijacked seller’s account tonight. One of his many disposable email addresses is biz.kastor@gmail.com with a history of hijacking other accounts on eBay and tracked by others. But wait, that’s not this scammers only email address, he operates with many, after all he is a professional eBay scammer and makes a decent living even for US standards doing this. He is also known as trevor023@gmail.com with a a full blown photo album to faciliate his eBay scams and quick check on eBay located 2 different sellers hijacked with this scammers email address published: hijacked seller stein**** with fake eBay Roland Phantom X8 with case scam auction and the same hijacker breaking into the account of eBay seller in Australia with a scam auction for 2 Pioneer CDJ-1000 MK3 CD Players with contact email address trevor023@gmail.com and another seller in US hijacked by the same scammer trevor023@gmail.com with the same 2 Pioneer CDJ-1000 MK3 CD Player - SCAM-O-RAMA on eBay. These auctions have been running for a while, see the link - this is a 5 day auction with 5 hours to go… so much for eBay taking these scam auctions down quickly….. and these auctions have plenty of victims (aka newbie buyers on eBay). By coincidence or by design another seller hijacked in France with an item from this sellers repertoire, this eBay auction title says in French LISTING NOT VALID - IDENTITY HIJACKED and the auctions advertises email address gigi_pizdulici99@yahoo.com .

The current list of items of this eBay Hacker / Scammer / Phisher is quite extensive, we are going to publish it here so in case you are shopping for one of these items, please be extra cautious.

Here is a list of items this scammer is currently uploading daily to several hijacked eBay seller accounts

The perplexing question is: if we can find and track this eBay scammer on eBay so easily and consistently without any resources or priviledged security tools, why does not a multi billion dollar company ( eBay ) care enough to squash this scammer? Do they not care about safety of eBay customers? Or are there just too many eBay scammers and the fraud is so wide-spread through eBay that eBay team of over 2000 fraud prevention staff just cannot keep up?

This just hot off the press:

eBay Applauds Romanian and U.S. Law Enforcement for Arrest of Alleged Cyber-criminal, Vladuz.

Another kudos to eBay. I hope it is true and not just another PR stunt be eBay in the wake of it’s share price decline that followed eBay’s Q1 earnings statement today.

But back to these exciting news… remember Vladuz? He was the Romanian hacker who hacked thousands of eBay seller accounts and injected ongoing legitimate auctions with his “zudalv” (vladuz spelled backwords) signature just to prove to his audience, whoever they may have been that he CAN hack eBay and further sales of his eBay scamming warez to his fellow eBay scammers who are less proficient in phish coding.

A good snapshot of Vladuz articles in the news over the past year can be found in The Register by Dan Goodin. You can read related articles on the bottom of that linked page.

It will be interesting to watch if further news on Vladuz background, details of his arrest and some trial tid bits resurface. Perhaps we can get confirmation of some of our own theories.

Apparently the original articles (in Romanian) about the capture of Vlad were published early this morning, one of them by Antena3 and according to bits of info gathered from the article, Vladuz’s real name is Vlad Constantin Duiculescu , trying to translate this article on the basis of several other languages I speak, my rough translation would be that they report this 20 year old hacker specialized in creating phishing programs to extract eBay user’s logins, passwords, PINS, credit card number and was a head of outfit that made $2,000,000 in the period from 2005 through 2007. He was finally apprehended this morning and while the law enforcement entered his building, he managed to throw 3 laptops out of his window in an effort to destroy any evidence on those hard drives. —disclaimer— I do not speak Romanian, I only speak Italian, Spanish, Russian, Czech and English and this translation may be completely off base — end of disclaimer —

This article (also in Romanian) in Gardianul appears to offer quite detailed information on the activities of this Vlad character.

Anyone with Romanian language skills? If you can provide a translation of this article please post it into comments here - any interesting bits and pieces of info are appreciated. Thank you!

Update 4-19-2008 We have translation of the articles under the comments area of this section. As more news details becomes available we will update this section.

Here is a Vladuz arrest Video from TVR (romanian TV)

Here is a
police video from Vladduz’s appartment

Here is another police video on Vladuz from Romanian Antena3 TV

Finally a step in the right direction! eBay appears to be catching up with the 20th Century - kudos anyway. Today’s announcement is truly a music to our ears:

April 14, 2008 | 11:45AM PST/PT

John Canfield
Hello…I’m John Canfield, Senior Director for Trust & Safety policy management. My team specializes in working to keep the site safe and protected against fraud. Much of the company’s work around safety happens behind the scenes, but some of our efforts are also public-facing. Masking and protecting our Community’s identities on all bidder IDs on auction-style listings, the PayPal Security Key, our work with Yahoo and other domains to block email from unauthenticated addresses, and encouraging safer payments – each of these address a particular aspect of security and is making a dramatic difference in the overall security and safety of the marketplace and consumers’ confidence in shopping online. Our technologies – those that exist today, as well as those that we are designing for tomorrow – are helping to make the internet safer every day.
I’d like to tell you about a new safety initiative that launches on April 14th.

Trusted Selling with Identity Confirmation
One of the ways criminals attempt to defraud people on eBay is by gaining access to member accounts with well-established reputations which they then use to set up listings in that person’s name. They gain this access often through a phishing email that convinces an unsuspecting member to click a link and enter their User ID and password.

To protect the Community against this type of fraud, beginning today, eBay will start noting which computers members typically use to conduct their buying and selling activity. After our data collection phase, sometime in June eBay will begin verifying our sellers when they list an item to ensure they are logging in from the same machines they have successfully used previously – usually a home or business computer.

If you are a seller, and you attempt to list an item from a different computer – for example, from a PC you are borrowing in a hotel or library – eBay will make an automated call to the phone number you have registered with us to confirm it is really you. We may also prompt you to verify your identity in other ways.

Initially, this identity confirmation process will only be applied to selling, although we may be extending this to other high-visibility activity in the future.

Sellers, please update your registered phone numbers
Now more than ever, having a current phone number on file with eBay is vital to the safety of the Community and to your business. A wrong or outdated phone number may delay your ability to list items or respond to your customers, if eBay cannot verify your identity.

Have a cell phone? Registering it could save you time and money
If you carry a mobile phone, we encourage you to add this number as a secondary phone number in your registration details, so that we can reach you when you are away from your business or residence where you normally use your trusted computer

source: http://www2.ebay.com/aw/core/200804.shtml#2008-04-14114255

I just have one question for John:

Knowing this is in place. Won’t the scammers/hijackers first change the phone number on the record, then wait a day or so, then list … so the phone authentication would end up in the lap of the hijacker?

… or does phone number change from a DIFFERENT than usual computer also trigger phone or additional verification? … I hope some multi level logic exists on this.

Update 4-19-2008: My question and few others were answered here: eBay Chatter
This change could not come fast enough, hopefully our steady Romanian Hacker will then be stopped from hijacking eBay seller accounts daily and publishing fake auctions, just like he has hijacked another eBay seller right now and publishing those typical high end scam auctions on eBay as we write this.

These past few days our real life projects took us away from time usually needed to monitor eBay fraud auction, hence the silence.

Spot check this morning shows we have the usual scammers running circles around eBay.

Another day on eBay…
…another (few hundred) eBay powersellers hijacked …
…another few thousand fake auctions by professional eBay scammers who are so amateurish even we can find them with minimal tools like a rss feed that picks the usual scam phrases, scam items, scammer’s email addresses etc..

Here is the latest eBay powerseller with almost 1000 feedbacks, nice lingerie store being hacked right now with the usual assortment of fake auctions.

This eBay scammer’s latest signature tag line is:
As i take this auction very seriously i want to speak personally with every interested buyer who’s ready to make the deal of the year. I will sell it only to a serious person,just after i’ll talk with him via e-mail. Questions about condition,more pics, shipping; Contact me at :
Markosshopp@aol.com

here is this eBay Scammer’s and other scammers’ list of fake eBay auction items they love to offer to their eBay victims at a fabulous once in a lifetime deal prices

One has to ponder:

• If we can find those scammers so easily with zero access to anything proprietory, just public RSS tools, why the heck is eBay not finding them and preventing them from fleecing unsuspecting buyers ?
• eBay boasts 5 Billion Dollars in surplus cash: why won’t eBay invest teeny tiny minute fraction of it into improving security on their site ?
• When questioned about the ongoing security issues where massive numbers of users logins and passwords are already compromised and in hands of hackers resulting in vast numbers of fake auctions on eBay, eBay always claims that’s not a problem. Why? What does eBay have to gain by letting fraud rampant on it’s site?
  

It’s in hundreds of thousands. Monitoring this single eBay hijacker, just spot checking every so often, we always find him hijacking one or more eBay accounts…. seems as though the hijacker has unlimited supply of accounts. The same hijacker who has 4 eBay seller accounts hijacked a couple days ago, is currenly uploading the scam auctions to the PowerSeller account alliedweighing ( 260 Feedback score) , here is a screenshot of the usual scam auctions on ebay this hijacker uploads to compromised seller accounts,

hijacked powerseller alliedweighing by jnestoc@aol.com on eBay

Pioneer CDJ-1000 MK3 CD Players & 1 DJM-800 Mixer:: fake auction on eBay

this minute appearing on « hijacked powerseller alliedweighing and here is a screenshot of the the scammer’s auction: , asking eBay buyers to contact him at freshly baked free email address:

Scammer’s signature line on each fake auction —>Please contact me before you bid for buy it now and the rest of the transaction details: jnestoc@aol.com

The hijacked Powerseller alliedweighing is not one of the thousands hijacked eBay accounts on the list published earlier by another Blogger few days ago, so these hijacked eBay account most come from yet another multitude of stashes of compromised eBay logins and passwords.

!Everyone knows that eBay permits dangerous flash vulnerability scripts directly on it’s auctions which let account hackers and hijackers extract your login and password if you simply browse ebay auctions. These hijacked logins and passwords then get sold to eBay fraudsters who login as you and upload fake auctions to fleece unsuspecting eBay buyers into wiring money for a super deal item that will never arrive. Here is a tiny sample of Powersellers just hijacked by those scammers - see eBay buyers being conned on eBay right now. The sellers are innocent, they do not know they have been hijacked. It’s eBay management who refuses to secure their own venue.

hijacked powerseller sportsc( 3110 Feedback score) : note this is a scammers’ trademark where they ask eBay buyers to contact them to free email address: NOTE: To be able to bid on this auction you must contact the seller first: jnestoc@aol.com The seller have the right to allow bidders on this auction . Members who place a bid without contacting the seller will be directly reported to eBay. Scam auction 2005 TREK 5.9 MADONE 52cm LIKE NEW This poor powerseller has a few hundred scam auctions uploaded to his account.

hijacked eBay seller james4laura( 172 Feedback score) again, see the scammer this time with email address csell28@aol.com asking eBay users to contact him to his free disposable email address linked from free image server at hi5

This poor seller also has a number of fake eBay items uploaded to their account without their knowledge, here is a screenshot of one of them” Scam Auction on Hijacked Seller Arp Odyssey II Model 2813 Synth

And the scammer is uploading more auctions on this hijacked seller, here is a screenshot of auction list at the moment

Hijacked eBay seller james4laura

When the scammers run out of powerseller logins, they have no problem listing on new logins, like this notorious hijacker that loves to list on eBay his Fake eBay auction: 2 Pioneer CDJ-1000 MK3 CD Players & 1 DJM-800 Mixer. You can take a looks at his album of his Scam images with email addresses to insert into fake eBay auctions on seller accounts he hijacked.

The Pioneer CDJ-1000 MK3 CD Player is such a favorite of this eBay scammer, you can see several auctions per day on different hijacked seller accounts, like this screenshot  of  Scam Auction on eBay for Pioneer CDJ-1000 MK3 CD Player on a hijacked seller ID marbiwi where the scammer uploaded 40 fake auctions on hijacked eBay seller just 2 minutes ago.  We have the eBay hijackers trademark signature in each auction: This auction is for 1 DJ equipment ! If you want to buy directly contact me in my email because i have other 5 equipments available for sale: cofield023@gmail.com

Just  as soon as eBay deletes scam auctions from above hijacked sellers, the hackers dip into their cache of hijacked eBay user Id’s and upload auctions to more hijacked sellers.  Note we are only tracking one or max two hijackers… The scammers claim that there are hundreds of them on eBay making very good living.  Here are some snapshots of current hijacked sellers:

• hijjacked eBay seller  jnjsofl with bunch of fake auc tions like this one 2-pioneer-cdj-1000-mk3-cd-players-1-djm-800-mixer uploaded to his account, this time the scam eBay signature is “Email me right now and you can BUY IT NOW for a very low price including FREE SHIPPING!
  BUY IT NOW PRICE: $1299
  Before you BID please contact me first at: BIZ.KASTOR@GMAIL.COM
• and the same scammer hijacked eBay seller ID huy1930 and uploaded scam auctions like this one scam auction, scam email address scofield023@gmail.com 2 Pioneer CDJ-1000 MK3 CD Players & 1 DJM-800 Mixer - and this fraudster is using insert image from here to try to avoid detection fy fraud filters.

This Blogger published list of thousands compromised eBay user logins and passwords that was found online for anyone to see. Go to their blog and you can check if your eBay Login has been hacked. To find the database with hacked logins, just scroll down in the list of posts, find March 15th posts and jump in to the sections that are presented alphabetically with groups of compromised eBay IDs.

We have saved the complete list so if iBay manages to threaten the blog owner into deleting those pages we can republish so the victims of UNSAFE eBay can protect themselves. Shame on eBay.

While eBay refuses to secure it’s own site the professional hackers continue posting XSS flash auctions which will extract your eBay login and password : directly on eBay site if your browser has flash and javascript enabled. So once your login and password gets into hands of professional hackers, what happens next? Your eBay login will get used in the following manner: If you have selling enabled on your eBay account, the hacker will then login as you and post a bunch of fake auctions, requesting unsuspecting buyers to contact him at some gmail/hotmail/aol/msn or other free disposable email address. Those auctions will be for expensive high end item which normally sells for high dollar value and the scammer will offer this item for about 30% of going rate.

Here is an example of such hijacked seller account auction with all tell-tell signs that the poor eBayer has been phished and now instead of book listings you see scammers repertoire of high end items asking you to email him to his gmail address so you can have those items for only $1000… let’s take a look at this Apple MacBook Pro listed in Books/Antiquarian Category on eBay on Hijacked / Phished PowerSeller account from Germany

There are currently 83 fake scam auctions listed on this Hijacked Seller account on eBay - see link to the hijacked seller auctions by hacker on this hacked eBay account : ebay-seller-ensabel-antiquarian-collectible-dvd-hd-dvd-blu-ray-items-on-ebay.gif

Once buyers contact the scammer in his gmail address, the scammer will tell them some story why he is giving away the expensive item at such a low price, divorce, tuition, cousin works at the factory…. and will ask the victim for their ebay login name, full name and address so he can prepare a fake eBay invoice and email this fake invoice with eBay logos pretending this invoice came directly from eBay, recommending a wire transfer cash payment to Romania or Spain or UK as a safe method, assuring satisfaction guarantee and free shipping.  If the buyer/victim wires the money, they will never hear from the scammer again.  Bu this time the hijacked seller already discovered his account login and password have been compromised, reported it to eBay, eBay will remove the auction (check it out:  when you try to access the auction we have provided screen shot - here is a link to eBay listing:  you will find that it was removed, this makes it impossible for a victim to document to the law enforcement such auction even existed or that the auction was on a credible eBay seller account with good feedback …..eBay will then  pretend this scam never happened on it’s site.  If the victim who wired the money comes seeking assistance from eBay, eBay will not offer any, as there was no auction and the instructions that the victim received, although they looked like official eBay invoice with eBay payment instructions, they were just a fake invoice cleverly constructed to look like eBay sent it.

Seller Hijackings continue to plaque eBay for years now.  A quick check this morning uncovers another hijacked seller with a fake item posted for auction by this Romanian Hacker:

Screenshot of the fake auction on Hijacked seller account

The scammer maintains a photo album on a free image hosting site:  Here is a LINK TO SCAMMERS PHOTO ALBUM 

If we can find these hijacked Power Sellers on eBay easily, why can’t eBay? A quick spot check this morning finds another eBay Power Seller hijacked and one of the Romanian eBay scammers listing fake items, his usual favorites to list are

eBAY FRAUD filters work on text based method.  eBay’s Fraud Bot scans auctions for words used by professional eBay scammers and chooses suspect auctions.  Account hijackers use a simple kiddie way to sail through eBay’s million dollar fraud system by simply creating image inserted into fake auctions on hijacked seller accounts with their call to the unsuspecting eBay buyer to lure them off eBay.

How many legitimate seller accounts are hijacked at any given time?  Our guess is thousands!  A short search this morning revealed 3 seller accounts being hijacked right this minute by a single eBay hijacker.  Here are screenshots of the 3 distinct eBay seller accounts being hijacked right this minute with fake auctions published on eBay.

Seller Antonello789 from Italy - Hacked and Hijacked

Seller Johnnyp5789 Hacked and Hijacked

Seller dhonaro - Hacked and Hijacked

 Hey, eBay security “managers”, how about OCR software?  Or is that newfinangled OCR technology too expensive for you to protect unsuspecting buyers and secure the “venue”… perhaps there is not enough funds left in your 5 billiondollar cash reserves to care about fraudsters fleecing eBay buyers daily?  Or how about making PayPal KeyFob mandatory  for any seller who needs to list more than 3 items at a time?  It’s only $5 to acquire and it would surely stop the Account Hijackers from listing on Hijacked Seller accounts.