ebay fraud?

windymiller

thinks this is another fraud.

could be wrong

if so, sorry

ebay: 320013521188

webhead

Very interesting that there are serial numbers listed. My Inspo was sold to a buddy....do these even look close to being real numbers? Are these YUR numbers? Could the scammers be getting smarter?

__________________
"These are not the droids you are looking for.... move along" - Obi-Wan Kenobi

Genesis

I have become CONVINCED that eBAY has an internal problem of some kind - and that a non-zero amount of the hacking of accounts is due to it.

My account was "penetrated" yesterday and a boatload of listings (100) that I had nothing to do with were posted. All scams.

Their system noticed the problem and locked my password but did not remove the listings until I got ahold of them - and changed/recovered the password. They DID remove the listings and credit my account, so other than the hassle, this cost me nothing.

But - how did my password - which was quite secure - get out?

Here's the thing - I'm immune from "click through" email spoofs, because I read email in character mode (in what amounts to a terminal program) on Unix. I also have a very good spoof/spam filter which catches hundreds of these attempts daily - and none get through.

Now here's the other side of the issue - every time I post a listing on eBAY, within minutes I am sent a whole host of spoofs trying to get my password. In some cases, up to 100 of them within a couple of hours!

How do the spoofers get my email address? And how do they know I posted something for sale on eBAY before the index pages pick it up?

I'm convinced that a material portion of the scamming and hacking is either due to a weakness in their system (that is being ACTIVELY exploited) or is an outright inside job. After all, its not hard to get someone's password if you can just pick it off from the database where its stored!

__________________
"A venturesome minority will always be eager to get off on their own, and no obstacles should be placed in their path; let them take risks for Godsake, let them get lost, sunburnt, stranded, drowned, eaten by bears, buried alive under avalanches - that is the right and privilege of any free American."
http://www.denninger.net
http://www.diversunion.org/liability.htm - Fix the Diving Cert racket

webhead

I could tell you/show you things that would make you never connect to the internet again. All it takes is one bad web page, one bad email, even an MP3 or JPG that's been written to attack your system.

Emails are easy. Most hackers and spammers have programs that do nothing but go and find emails in the internet. Passwords can be guessed even if yours is G6hj8$2jJlm (no, that's not my password). Things can be made more difficult but not much is fool proof.

So your ebay password.... is it the same password that you've used anywhere else (web page, email account, etc.)?

__________________
"These are not the droids you are looking for.... move along" - Obi-Wan Kenobi

RonMicjan

I'm just glad the webhead is one of the good guys, cause it would be scary if he wasnt.

I almost got caught recently in a scam, and there arent many more savvy than I.

got a call from a woman who was supposedly from yahoo marketing and had seen my website. offered to promote it in the search engine, $5 setup fee and .10 per click. (I checked it out later and Yahoo does have this exact special) Not a bad deal actually and she was VERY good at sales. Normally I see right through these a&&holes but this time I was in the middle of giving her my CC number for the $50 deposit to get it started and something went "ding" in my head. So I asked her to send me the info and I would gladly send a check out. She understood and agreed. 10 min later her "boss" called up and was very smooth in explaining how the deal was only good by using a CC, so they could keep up with the charges etc and he guaranteed the security etc... So I suggested that if they had a secure web server that I could go to that I could see in the address line was in fact yahoo, that I could go there and put in my info, he tried for a few minutes to get me to give it over the phone but then agreed to send a link via email, nothing since... VERY SCARY, how close I came to screwing up.

Im usually the guy who points out the scams to my friends and family, an old GF of mine lost 1500 on an EBAY scam. Crime does pay.

__________________

Genesis

Naw Webhead, that's ok. See, I build networks for a living... including IP ones. Two national ones so far, including the Network99 backbone (later bought by Aegis.) I know most of the tricks and have more-than-adequate defenses against them. My home PC doesn't have a direct network connection; there's a Unix machine between it and the outside world, and I don't read email in any of the graphical tools, precisely because of the "unsolicited code execution" issues. Its darn hard to get a text-mode program to run arbitrary code

The password wasn't stolen from another site. Stolen or cracked on eBAY, yes. But if the latter, its their own damn fault too - you shouldn't get an infinite number of "guesses" (which a robot can do) before the account gets locked and an email dispatched.

They also allow profile changes without notifying you to your registered email address, which makes this fraud easier to get away with. That's a no-no too. If you were notified that the scammer had turned off all your profile prefs so you don't get told when they list the hot stuff, you'd know instantly. They DO notify you on an email address or password change, so the bad guys don't usually do that. But this fraud would last 10 seconds if they notified you on any profile change.

Never mind the "spoof" spam that shows up seconds from the time you list something (legitimately) for sale. How do the "bad guys" know you just listed something, and further, how do they get the registered email address from your eBAY account? In theory that's supposed to be translucent, and you can only ask eBAY for it if you're involved in a transaction (e.g. you've bid on the item.) So - they should not be able to do it other than via the eBAY "ask question" link - which makes your email address opaque to them. But they DO get it, and the spoofs invariably come from places like China and parts of Russia....

Its all about accountability and defenses - eBAY has almost none.

The easiest way to steal someone's login information is right off the target site's machines. Its also one of the hardest to detect.

__________________
"A venturesome minority will always be eager to get off on their own, and no obstacles should be placed in their path; let them take risks for Godsake, let them get lost, sunburnt, stranded, drowned, eaten by bears, buried alive under avalanches - that is the right and privilege of any free American."
http://www.denninger.net
http://www.diversunion.org/liability.htm - Fix the Diving Cert racket

webhead

I'm glad the networks you build are IP ones. The other ones are a real pain in the a$%#. Do we still support IPX?

So I'm guessing that your UNIX box, or is it LINUX, is running NAT for you, along with other fw software. Definitely better than a lot I've seen or heard about. So safe to assume that there is no key stroke loggers, spyware, file sharing software (i.e. kazaa and limewire) running on your system.

Being in the business, you know then that tracking down, stopping and much less prosecuting people in China and Russia is very difficult. But if ebay is involved with them, that changes things. Have you documented your evidence and submitted it to the secret service or FBI?

I'm really looking forward to meeting you later this month when my friends and I come up to dive the Oriskany. One friend will talk your ear off on the subject and turn you into a vmware user, if your not one already.

__________________
"These are not the droids you are looking for.... move along" - Obi-Wan Kenobi

webhead

Ron,

Thanks for words of support (they are words of support, right?)

Glad to hear that you were able to dodge that bullet. It never stops surprising me the stuff that these #$^$ scammers come up with to steal money. If they put half their efforts towards legal and productive efforts, they'd probably have 2x that money and not have to runn from Johnny Law.

I'm curious how your friend lost the $$$. Did he use paypal? Was he buying or selling? What was ebay's repsonse (as if we don't know)?

It is very frustrating to see this stuff go on and see so little action being taken to stop and prevent it. And it's not like the technology doesn't exist. It just needs to be used.

__________________
"These are not the droids you are looking for.... move along" - Obi-Wan Kenobi

Genesis

I don't

Correct.

The fileserver here (which also runs my forum code, entirely written in "C") is responsible for all of this. Its running FreeBSD, which is much more secure than Linux "out of box". There's a VERY restrictive set of firewall rules on there along with the NAT translation. If something tries to transmit something that it shouldn't (because some kind of game-playing code got loaded somehow on my PC) it'll get flagged and the transmission won't go through.

The gateway machine takes thousands of penetration attempts daily (mostly SSH and FTPD attacks), all of which make very nice log entries, along with somewhere north of 1500 spam/spoof email attempts (none of which get into my actual email box.) Most come from China and Russia, although occasionally an attempt comes from a US site and I get REAL aggressive about tracking it down - occasionally with some success. Unfortunately the usual answer ends up being that someone's machine was hijacked.... by someone in China!
Not yet. The problem is that correlation does not equal causation, and getting the SS or the FBI interested requires the latter. I used to deal with those guys all the time when I ran my ISP and even when we had causation documented they were frequently not interested. On multiple occasions we were able to pinpoint certain attacks as my firm was a "full peer" and thus had access to the BGP routing table entries - didn't matter to those guys. They'd look at a single attack as "not worth their time", even though the PATTERN would certainly add up to enough to matter.

There's a pattern of abusive practices here that is very troubling, and the easy way to dismiss it all is that "someone clicked a link that stole their password", usually by a spoof email. That's all fine and well as an answer until it happens to someone like me - who doesn't get the spoofs as they're all trapped and tossed, and what's worse, the email I do read all happens on SecureCRT (a terminal program that runs over SSHv2) - you can't click those links as they're all text and not links!

I'm convinced that the penetration happened internally in this specific case. I can't prove it, but I'm convinced nonetheless. Consider how much money the Russian Mafia would pay someone to stick a little trojan somewhere internally in either of those firms....how hard would it be to snoop the traffic on their internal network with an interface in promiscuous mode? Not very!

BTW a few months ago one of my credit cards was added to a PayPal account (not mine) and used to charge a few things. PayPal was totally disinterested in fixing that until I charged it back via the issuer. That card number had to have been stolen from a merchant, because it had NEVER been on either PayPal or eBAY's site. I download all my transaction data and saw the charges within a couple of days, and immediately called Amex and cancelled the card.

BUT - here's the troubling part - I have a PayPal account. That means they have my address on file. So when the card was added to the FRAUDULENT account, they should have caught it when they ran the AVS screen at the time it was added, since its against their rules to have more than one personal account with them. They did not, and in fact did nothing about the theft until I contacted THEM, which took over an hour and required my using a "backdoor" phone number I have for them to get them on the phone. Then they played games with me on the phone claiming they needed me to send them an "affidavit".

That's clearly bogus and I told them to stuff it where the sun does not shine - the simple solution was for me to charge it back through the issuer of the card as fraudulent since it was not associated to my account. Amex gleefully did so, and magically, PayPal took care of it - after I snatched the money out of their hands.

The RIGHT THING for PayPal to do would have been to deny the add in the first place, or when they detected the fraud (they claimed to have done so) immediately credit back the bogus charges to me. Instead, they decided to sit on the money for as long as possible.

PayPal gets away with this because they're not a bank and thus not regulated as a bank. That needs to change; were they regulated as a financial institution all THEIR game-playing would disappear. eBAY gets away with it because they claim to be only a "facilitator" and thus not a financial institution at all. I'm not quite sure how to change that one, because there is really no set of laws that says they have to act in a responsible manner when it comes to things like this, since ultimately you're not held responsible for the charges (that is, you suffer no damage.)
I doubt it.... but he's welcome to try....

__________________
"A venturesome minority will always be eager to get off on their own, and no obstacles should be placed in their path; let them take risks for Godsake, let them get lost, sunburnt, stranded, drowned, eaten by bears, buried alive under avalanches - that is the right and privilege of any free American."
http://www.denninger.net
http://www.diversunion.org/liability.htm - Fix the Diving Cert racket

webhead

After consulting with a friend on this, I'm curious to know... are you 100% sure the message to reset your password was from ebay/paypal or was it a phishing message? Was the address ebay.com or ebays.com? Did you reset your password online right then?

__________________
"These are not the droids you are looking for.... move along" - Obi-Wan Kenobi