RealTime IT News

Hijacking & Fraud Plague eBay Users

"Dear customer,
We want to inform you that because of some technical problems and a great data loss our team scheduled a maintenance session and managed to keep your account and auctions in good state.
Please verify if you are still able to log in and if your account is active clicking here:
(The actual link has been removed for the readers' safety.)
If there appear to be problems with your account please contact our technical support.
Technical Support Department
eBay Inc."

-- A quote from a user found on the eBay Trust and Safety bulletin board

If you've received an email similiar to the above example and wondered if it was legitimate or not, be aware that it's NOT. But, unfortunately, if you did click on the link that was provided and input your eBay account information, you've just handed confidential information over to criminals. It's part of a sophisticated scam that's become increasingly problematic for legitimate online auctioneers and e-commerce operators.

Imagine that you're a seller on eBay. Your business is going along just fine, and one morning you turn on your computer and you can no longer access your auction management account. You look on, dumbstruck, at listings that you didn't put up. People are bidding on them. Yes, your auction account has been taken over.

It's called account hijacking, and it's eBay's dirty little secret.

San Jose, Calif.-based eBay has said that less than one one-hundredth of one percent of its listings end in confirmed cases of fraud. But given the size of eBay, which claims somewhere around 50 million registered users, and the number of transactions, that small percentage is still plenty troubling.

"I think it's more serious than eBay lets on," said David Steiner, president of AuctionBytes.com, a site that covers the online auction world.

And whether that's so or not, auction fraud in one form or another is clearly a serious matter for eBay and all its users. And it doesn't only happen to sellers. Say you're a frequent buyer. You visit an auction site that has lots of positive feedback. Maybe you even bought something there before. You see something you want, you lay out your hard-earned money and wait for your merchandise. And wait and wait and wait. Finally, you realize you've been scammed.

Last spring in a filing with the Securities and Exchange Commission, eBay said it believes "that government regulators have received a substantial number of consumer complaints about us, which, while small as a percentage of our total transactions, are large in aggregate numbers."

That was in March of this year, shortly after eBay began to notice a serious uptick in fraud. In April, eBay began warning users about possible attempts to gain access to their private information and said that it shut down its "change your password" feature temporarily to install a fix for a hole in its security system.

"From what we've seen so far, there have been a relatively small number of users having their accounts taken over," eBay spokesman Kevin Pursglove told internetnews.com, adding that "we have taken some steps to counter it."

"We do not provide any statistical breakdown on this," Pursglove said. "... we believe some of the increase in these scams originates in Eastern European countries."

That would go along with what law enforcement authorities have told internetnews.com about these and other online scams - that many of them originate in the former Soviet Union, and some in Southeast Asia. In fact, hijacked accounts are sometimes sold rather openly in Internet black markets.

But regardless of where the hijackers come from, it can be a pretty bad period in your life if your account is taken over by scam artists. And it's easy to be taken in.

An eBay seller called Suzi in Austin, Texas, who has been selling on the auction site for a year or so, was scammed recently by a fake e-mail.

"The wording was very professional .... I had no reason to doubt it was not from eBay," she said. "So, with each e-mail, I clicked on the link .... the eBay sign-in page would appear .... my user ID was already displayed on the page .... I just needed to type in my password like always..."

Suzi said it took her three days to sort out the mess. "I canceled ALL of my credit cards ..... PayPal account, Billpoint account, changed all passwords to anything and everything on the computer, and changed all of my bank accounts, too....just to be safe."

"They try to get passwords to your account," AuctionBytes.com's Steiner said. "Once they have access they can change the password so that the legitimate account owner no longer has access."

"Ideally they get someone who has gathered a respectable amount of positive feedback," Steiner said. "Then they put up some auctions for expensive items, maybe a plasma screen TV. People send their payments and the scam artists disappear. The account holder is left to clean up the mess."

That's exactly what happened to Suzi.

How else do criminals get a hold of confidential account information? What red flags should buyers and sellers watch out for? More on Page 2.