Hijacking & Fraud Plague eBay Users

“Dear customer,

We want to inform you that because of some technical problems and a great data loss
our team scheduled a maintenance session and managed to keep your account and auctions in good state.

Please verify if you are still able to log in and if your account is active clicking here:

(The actual link has been removed for the readers’ safety.)

If there appear to be problems with your account please contact our technical support.


Technical Support Department

eBay Inc.”

— A quote from a user found on the eBay Trust and Safety bulletin board

If you’ve received an email similiar to the above example and wondered if it was legitimate or not, be aware that it’s NOT. But, unfortunately, if you did click on the link that was provided and input your eBay account information, you’ve just handed confidential information over to criminals. It’s part of a sophisticated scam that’s become increasingly problematic for legitimate online auctioneers and e-commerce operators.

Imagine that you’re a seller on eBay. Your business is going along just fine, and one morning you turn on your computer and you can no longer access your auction management account. You look on, dumbstruck, at listings that you didn’t put up. People are bidding on them. Yes, your auction account has been taken over.

It’s called account hijacking, and it’s eBay’s dirty little secret.

San Jose, Calif.-based eBay has said that less than one one-hundredth of one percent of its listings end in confirmed cases of fraud. But given the size of eBay, which claims somewhere around 50 million registered users, and the number of transactions, that small percentage is still plenty troubling.

“I think it’s more serious than eBay lets on,” said David Steiner, president of AuctionBytes.com, a site that covers the online auction world.

And whether that’s so or not, auction fraud in one form or another is clearly a serious matter for eBay and all its users. And it doesn’t only happen to sellers. Say you’re a frequent buyer. You visit an auction site that has lots of positive feedback. Maybe you even bought something there before. You see something you want, you lay out your hard-earned money and wait for your merchandise. And wait and wait and wait. Finally, you realize you’ve been scammed.

Last spring in a filing with the Securities and Exchange Commission, eBay said it believes “that government regulators have received a substantial number of consumer complaints about us, which, while small as a percentage of our total transactions, are large in aggregate numbers.”

That was in March of this year, shortly after eBay began to notice a serious uptick in fraud. In April, eBay began warning users about possible attempts to gain access to their private information and said that it shut down its “change your password” feature temporarily to install a fix for a hole in its security system.

“From what we’ve seen so far, there have been a relatively small number of users having their accounts taken over,” eBay spokesman Kevin Pursglove told internetnews.com, adding that “we have taken some steps to counter it.”

“We do not provide any statistical breakdown on this,” Pursglove said. “… we believe some of the increase in these scams originates in Eastern European countries.”

That would go along with what law enforcement authorities have told internetnews.com about these and other online scams – that many of them originate in the former Soviet Union, and some in Southeast Asia. In fact, hijacked accounts are sometimes sold rather openly in Internet black markets.

But regardless of where the hijackers come from, it can be a pretty bad period in your life if your account is taken over by scam artists. And it’s easy to be taken in.

An eBay seller called Suzi in Austin, Texas, who has been selling on the auction site for a year or so, was scammed recently by a fake e-mail.

“The wording was very professional …. I had no reason to doubt it was not from eBay,” she said. “So, with each e-mail, I clicked on the link …. the eBay sign-in page would appear …. my user ID was already displayed on the page …. I just needed to type in my password like always…”

Suzi said it took her three days to sort out the mess. “I canceled ALL of my credit cards ….. PayPal account, Billpoint account, changed all passwords to anything and everything on the computer, and changed all of my bank accounts, too….just to be safe.”

“They try to get passwords to your account,” AuctionBytes.com’s Steiner said. “Once they have access they can change the password so that the legitimate account owner no longer has access.”

“Ideally they get someone who has gathered a respectable amount of positive feedback,” Steiner said. “Then they put up some auctions for expensive items, maybe a plasma screen TV. People send their payments and the scam artists disappear. The account holder is left to clean up the mess.”

That’s exactly what happened to Suzi.

How else do criminals get a hold of confidential account information? What red flags should buyers and sellers watch out for? More on Page 2.

In fact, these criminals can sometimes get money out of more than one buyer by e-mailing some of the losing bidders and saying that the winner backed out.

That’s what almost happened when the eBay account of a user that we will call Janice in the Atlanta area had her account hijacked.

“Somebody had guessed my password, got into my account and completely took it over,” she said.

One morning she went to look at her listings and to her surprise could not access her account, where a $2,000 computer had just been sold to an unsuspecting eBay newbie.

The hijacker had actually sent the buyer a link to the listing. “They found her because she was a runner-up in another auction,” Janice said. “She wanted this exact computer.”

The newbie buyer hadn’t noticed that Janice is a seller of decidedly non-electronic items. Janice said she knew immediately what was going on and e-mailed the buyer, who was able to cancel a Western Union money transfer to someone in the Philippines.

“eBay said there’s really nothing they could do,” Janice said, and the FBI eventually told her the amount of money involved was too small to warrant an investigation.

Account passwords can be obtained in a variety of ways, but one of the more common is the sort of scam that was run against PayPal recently, in which very legitimate-looking HTML e-mails are sent out to users asking them to re-enter their data for an innocent-sounding reason. Usually they are redirected to a spoof Web site put up solely to harvest account data.

eBay account passwords can be obtained in the same way. In fact, some eBay users report that the fake e-mails threaten to suspend their accounts if they don’t “reverify” their information.

“The (spoof) site looks just like an eBay site but it’s on different server,” Steiner said.

Even sophisticated and experienced Internet users can sometimes be taken in — the forgeries are that good. And Steiner said that some of eBay’s users are not particularly Net savvy — some of them learned just enough computer skills to start selling at the auction site. They’re businesspeople, not tech heads.

“eBay is in a tough position,” Steiner said. “A lot of people are accessing the site all the time, and auction sellers are accessed by a lot of people with less than good intentions. You have to be smart about your password.”

Some hijack attempts against eBay sellers come via bots — automated robotic programs that generate a variety of passwords from a “dictionary” trying to crack an account. A quick and nearly effortless search on Google turns up all kinds of such programs out there, with names such as “HackOffice,” “HotMailHack” and “Brute 2.0.” One program, called “4Digits,” is described as “a great dictionary file of four digit numbers. Good for cracking things that ask for the last four digits of a CC# or SS#.”

The step up in the frequency of password cracking attacks prompted eBay to take steps last spring to combat the scam artists, Pursglove said. But it’s no easy task.

eBay wants “to balance our design to protect accounts with the openness of the community” that makes eBay more than just another e-commerce site, Pursglove said.

“We created a new page on the site instructing people how to select a password – use
upper and lower case, do not use passwords from other sites, mix letters and numbers, etc., ” Pursglove said.

“We have also increased our efforts should a (scam artist) try to change an account — our confirmation e-mails now go to the new e-mail address as well as the old address,” Pursglove said.

“And we’re developing some tools to check that after a certain number of (attempted ) entries, a user will be rerouted into the password information system, which bots can’t get through.”

eBay’s new security feature kicks in after a certain number of failed log-in attempts. A screen pops up asking for the User ID, password and a special Security Code that appears on the screen. The Security Code is a picture of a number, requiring a human being to be at the computer to enter the code.

About a year and a half ago all new registrants at eBay had to use something other than their e-mail name as their ID. Pursglove said that move also cut down on the ability of bots to extract information.

Still, he advises users to check their listings frequently via the “my eBay” function. “Check your listings, see if they’re all yours,” he said.

And keep your account active. “Sometimes they go for accounts that have been dormant for two to three months,” Pursglove said.

“I think it’s really education,” said Larry Jordan, vice president of marketing at AuctionWatch.com, which sells auction software for sellers.

“What people really need to do is think about these e-mails logically,” he said. “If you get any e-mail asking for sensitive data, think about it. Look at the URL to make sure it’s really the right Web site. Look for dummy links. If you have any bit of concern, send a note to that company, rather than fill in a form. Be diligent with your passwords.”

Steiner at AuctionBytes says buyers should be cautious if they see some of these tip-offs that an account has been hijacked:

  • Accounts that suddenly begin selling high priced items.
  • Accounts that used to list items in one part of the country and suddenly start listing items in another part of the country.
  • Accounts where the person is mainly a buyer. (You can tell by looking at the letters next to their feedback – “S” = seller, “B” = Buyer)
  • Accounts that asks you to “e-mail me” for payment methods.
  • Sellers that want you to send only Western Union, and especially to a foreign country.

“The community of online merchants on (auction sites) is overwhelmingly honest as a group,” Steiner said. “They care. It’s a great way of making a living. Some are disabled or elderly. They may have learned their computer skills solely to sell on eBay.
When (an account is hijacked) there’s a big void of information about what to do.”

“It would help for eBay to have a phone contact and not make sellers wait for canned e-mail messages from Safe Harbor,” he said. “But eBay is trailblazing – nobody else has ever had to determine how to handle all these problems that are unique to the Internet. They’re in a very difficult position.”

“It’s a different kind of retail experience because it’s so personal,” Steiner said. “Which also tends to make people trusting. And that’s probably where they can be taken advantage of.”

Janice would agree with that. But despite having her account hijacked, she’s back on eBay and making nice money as a seller– although with new, longer, complicated passwords that she changes frequently.

And she still loves the auction site.

“I think eBay is the perfect business model for the Internet,” she said. “But they need to fix this … I just don’t know how.”

If you have been duped, what can you do? eBay offers some tips to help.

News Around the Web