And the Online Fraud Goes On…

  • eBay account hijacked, bidders bilked in ‘rampant’ fraud
  • Man pleads not guilty in eBay fraud
  • Two must repay $35,000 to eBay fraud victims
  • Police nab fugitive in eBay fraud case
  • Police – Man arrested for failure to deliver on eBay purchases
  • FBI Seeks Hacker Who Stole eBay Info


The above are all recent headlines found in about 30 seconds worth of looking on Google News. Apparently, it’s safe to say that fraud is still a problem at the world’s largest online auction site.


Despite the headlines, however, eBay’s official position remains the same: the rate of fraudulent transactions on the site runs about one one-hundredth of one percent, the company says. And Wall Street loves the company, which is beginning to make substantial amounts of money — perhaps as much as $2 billion this year.


Nevertheless, San Jose, Calif.-based eBay , no doubt because of its immense success and constantly growing user base, remains a continuing target for fraud attempts, as does its PayPal online payments subsidiary, whose users are regularly targeted by scam artists.


Postings like this recent lament on an eBay bulletin board, are common:


“someone emailed my highest bidder, offering the same item i have for sale, for a lower price. the thing is, it was a private auction and only the seller (me) can see the bidders. i was surprised when the bidder emailed that he’s not interested anymore and that he was offered a cheaper price. i filed a complaint with ebay and then i checked my paypal account. someone used my funds 288 dollars to be exact and paid someone who’s not even active on ebay anymore. i never made such payment. i filed a complaint with paypal. the thing is, i lost all the confidence i had on ebay and paypal. how can someone just hack into my accounts and use it?”


One way they can do that, of course, is the all-too-common phony e-mail directing eBay users to a spoof Web site, where they are directed to enter their account names and passwords, sometimes under (false) threats of being banned from the site.


“Dictionary attacks against multi-user domains — attacks in which spammers do not know specific AOL or Yahoo! e-mail addresses, but instead try many combinations until they succeed in finding a valid address… portend continued fraud attacks,” said Rob Leathern, an analyst at Jupiter Research, in a recent report on fraud management. “PayPal has already experienced this combination; once fraudsters have valid e-mail addresses, they can send out e-mails with the look and feel of communications from an established (preferably large) institution that many customers will recognize.. [they do this] without even knowing precisely which users are customers of this institution. This kind of “dartboard” attack poses a danger that cannot be ignored by any firm doing business online.”


Here’s the text of a typical such e-mail, which falsely stated that it came from eBay:
“As part of our continuing commitment to protect your account and to reduce the instance of fraud on our website, we are undertaking a period review of our member accounts.
You are requested to visit our site by following the link given below http://www.ebay.com/verification/%?6488820019
Please fill in the required information.”


That site is down now, but who knows how much account data was harvested?


Wouldn’t people be wise to this scam by now? Not necessarily, said one auction expert.


“There’s a constant pool of potential new victims as new sellers sign on to eBay,” said David Steiner at AuctionByes, which covers the world of online auctions. “And I still see a consistently steady stream of scam e-mails.”


For an idea of what organizations are doing about auction fraud, please see Page 2

The scope of auction fraud and the FTC’s take


Research and analysis firm eMarketer recently forecast that there will be 162 million U.S. Internet users by the end of 2003, a jump of nearly 10 million over last year. And the greatest population growth segment will be in the 55 to 64 age range — those folks who did not “grow up” with the Internet and may not be the savviest people when it comes to faked e-mails and spoofed Web sites.


Steiner said that newly registered users at eBay are directed to a link that mentions (how to watch for and deal with) fraudulent e-mails, “but it’s easy to miss. I wish they would make it a little more visible to the average user.”


Still, the main eBay page does have links to tips for both buyers and sellers.


For its part, eBay is now issuing warnings about scam e-mails and spoof Web sites in its Announcements section about every two or three weeks, company spokesman Kevin Pursglove told internetnews.com. He said the company has been doing that “for seven or eight months.”

Pursglove said the number of complaints about scams seems to ebb and flow — it goes away for a while when the news media is focused on the issue, and then it comes back.


“Reporters start covering the issue, then the perpetrators of these e-mails lay low for a while,” he said.

But they never seem to go away for long, and that has caught the attention of the Federal Trade Commission. In fact, such e-mail scams resulting in auction fraud are the subject of an ongoing investigation, according to Steven Wernikoff, a staff attorney with the FTC.


“It’s difficult to say how many complaints there are about this – some people who complain don’t realize they were dealing with a hijacked account,” Wernikoff said. “It has fairly recently come up on our radar screen as a problem.” He declined to discuss specifics of any particular investigations.


“As we understand it, people are fishing for account information and then using it to hijack those accounts — then selling items from someone else’s account,” he said. “They change the password and lock out the real owner of the site. Then they can sell items purporting to be from the account owner.”


“When people complain to us, many times they don’t realize the person they were dealing with had hijacked a legitimate account. At the end of the day you end up with multiple victims — the (defrauded) buyer of the goods, and the person whose account was hijacked,” Wernikoff said.


The criminals “are getting enough money out of this to make it worthwhile,” AuctionBytes’ Steiner said. They can “set up multiple accounts, trade feedback back and forth, then pull a scam (often by advertising a high-end item for sale, like a computer) and then just disappear.”


“It’s done often enough to make it disturbing,” Steiner said.


Steiner said that eBay does seem to be warning members a bit more regularly in the Announcements forum, “but the problem is that their announcements scroll off after a week or so, which means that many people never see it.”


Newbies, of course, are at the most risk. “New sellers, new Internet users, these are the people most likely to fall for these e-mail scams,” Steiner said. “Everyone should consider themselves at risk, however, and never let their guard down. We’ve found that experienced users can also get complacent.


“Because the scam e-mails usually convey a sense of urgency, it’s easy to react too quickly. For example, there might be a letter that says your account has been hacked, and you have to hurry and change your password or else your auctions will be ended,” Steiner said.”


eBay itself encourages members who receive such e-mails to forward them to [email protected]


“We have a number of new anti-fraud tools in place,” Pursglove said. “However, it has always been our practice not to disclose the details of these efforts. One of the challenges with these spoof e-mails and phantom Web sites is that they occur outside the system of any given Internet site. The perpetrators are attempting to exploit the openness of the e-mail system in general.”


“We think education continues to be our best tool,” he said.


One of the steps eBay has taken is prominent display of a Seller Information Box on the description page of items for sale. The box includes information such as the seller’s User ID, Feedback total, percentage of positive feedbacks, etc. It also includes a quick link to eBay’s Safe Trading Tips and it’s being rolled out now, category by category.


Meanwhile, if you’ve been ripped off, the FTC is encouraging people to file complaints.


“The data helps us to find these people,” said the FTC’s Wernikoff. “If someone has misappropriated your information, you should also file an identity theft complaint.”


Complaints can be filed with the FTC here and with the joint law enforcement site called Consumer Sentinel.


And if all else fails, you can always turn to a relatively new site (in no way affiliated with eBay)
called Ebayersthatsuck.com. The site, founded by a New Jersey cop who felt he was ripped off, lets the newly scammed tell their tales of woe in more than just the 80 characters that eBay provides for feedback.


And since everybody has to make a buck, they’re even selling the official “eBayers that Suck Voodoo Doll.”

News Around the Web