Fraudsters Use Phishing Attacks to Hijack eBay Accounts
By Ina Steiner
A 20-year veteran of the military named Doug received an email on Thursday informing him that eBay had put a temporary hold on his selling account. The email instructed him to click on a link that led to eBay.com, where he verified his account. Ten minutes later, he received 29 email messages from shoppers asking questions about products that he had not put up for sale, including bicycles and exercise equipment.
Doug learned he was a victim of a phishing scam - he had entered his eBay user name and password into a spoof website. In a short period of time, a fraudster used Doug's account to post 63,000 auctions to try and trick eBay buyers into sending cash via Western Union.
Scammers have been targeting eBay and PayPal users with phishing emails for close to a decade - this article from 2002 describes the same technique, and is obviously just as effective today in tricking online sellers. Once scammers have an eBay seller's log-in information, they hijack the account, listing thousands of 1-day auctions and directing bidders to contact them via email for a special "Buy It Now" price.
Once the scammers are contacted, they instruct the eBay shoppers to pay immediately through wire-transfer, a method that is like handing over cash, with no way to ever get the money back. eBay does not protect buyers who fall for such scams because it says those transactions are completed off of the eBay site.
Unlike many sellers who fall victim to an account takeover, Doug quickly realized what happened. He said when he called eBay, the company already knew something was amiss. eBay stayed on the phone with him and helped him change his password. "I was very impressed with eBay, they walked me through it," Doug said.
Doug said there had been 10 - 12 bids on bogus auctions before eBay was able to restrict bidding. eBay cancelled the bids and sent emails to all of the bidders informing them there was a temporary hold on the account due to a scam that was no fault of the seller.
However, rather than shutting down the account, eBay put a hold on it so no one - including Doug - could access it or bid on the listings. eBay then began removing auction listings in batches, a process that took hours. That meant bogus auctions were visible to eBay shoppers through midnight, giving the scammer 4 hours of visibility.
Restricting the bidding is not effective in such scams - here's why. The hijacker of Doug's account listed 63,000 auctions, all with a starting bid of $99 - but the auction descriptions included a JPG image containing instructions to send an email to the Buy It Now price of $1700:
"Instead of "Ask Seller a Question " form contact me at my personal email as I cannot read eBay email. Here is my personal email....I am sorry but I will not sell through the bidding, only by But It Now. This transaction will be made through eBay. Will only sell at the Buy It Now price, no bids allowed!!! But It Now price is US$1700."
Some of the shoppers who came across the auctions did send an email to the hijacker. Doug knows, because he received over a dozen emails from eBay buyers telling him they had contacted so-and-so through the gmail accounts that were listed in the auctions and wanting to confirm that the person did indeed work for Doug. The emails said they were instructed to wire transfer money to a Western Union office in the UK. It's likely no one will ever know just how many people fell for the scam and actually sent $1700 for items they will never receive.
eBay spokesperson Johnna Hoff responded to AuctionBytes' inquiry about the scam:
eBay takes account takeovers and fraudulent listings very seriously and has put in place a number of strict controls to significantly reduce this activity. Although we've made considerable progress, there are isolated cases when such events occur. We work quickly to remediate these cases and appreciate every report we receive from the community to notify us of incidents when they occur. We will continue to work closely with our partners and community to keep eBay a safe and trusted marketplace.
An eBay watchdog who goes by the name "cappnonymous" captured video showing in great detail the scam listings. The video, posted on YouTube, shows two seller accounts that were hijacked on Thursday night.
As for Doug, he was relieved when eBay told him he would not be responsible for the $119,000 in seller fees that were racked up by the hijacker.
Learn more about email phishing scams on the APWG website
Comment on the AuctionBytes Blog
About the author:
Ina Steiner is co-founder and Editor of EcommerceBytes and has been reporting on ecommerce since 1999. She's a widely cited authority on marketplace selling and is author of "Turn eBay Data Into Dollars" (McGraw-Hill 2006). Her blog was featured in the book, "Blogging Heroes" (Wiley 2008). Follow her on Twitter at @ecommercebytes and send news tips to email@example.com.
You may quote up to 50 words of any article on the condition that you attribute the article to EcommerceBytes.com and either link to the original article or to www.EcommerceBytes.com.
All other use is prohibited.