Posted for general awareness. Be VERY careful when doing any business on eBay!!
[a href="vny!://blog.stodge.org/463" rel="bookmark" title="Permanent Link to An anatomy of an eBay fraud #ebayfail"]An anatomy of an eBay fraud #ebayfail[/a]- vny!://blog.stodge.org/
[div class="entry-head"][!-- .entry-meta --] [/div][!-- .entry-head --] The eBay scam I reported last week seems to have moved into a second, more sinister phase:[/p] I'm no longer recieving the deluge of calls from befuddled eBay members. Unfortunately I'm getting a bunch of calls from irate eBayers asking me where the item I'd just sold them was. Somebody is sending faked eBay emails pretending to be me, demanding money in return for items which may have been sold on eBay.[/p] A few minutes ago I recieved a text message from an eBay buyer asking when I'd be sending the filing cabinets he'd just bought. Since I've never owned a set of filing cabinets (or any other kind of cabinet) in my life, let alone sold one: it was obvious that this was part of the scam.[/p] [blockquote]"Hi, I've been sending e-mails leaving voicemails but unable to get a reply. Would XXX please return a call to YYYY on ZZZZ ref the filing cabinets, Thank You"[/p][/blockquote] I called the victim: Apparantly he'd recieved an email purportedly from eBay claiming that he'd won an item that he'd bid on and that he was to send money via CMNGT* to a particular account ... which unfortunately he had already done. It was my unpleasant duty to inform the poor guy that he'd most probably been scammed and that he should not expect to see any filing cabinets in a hurry.[/p] So what's happening here: The scammers appear to be scraping eBay's pages to find the eBay IDs of the person who won an item... it does not matter which item since they have no intent to actually send it. All they need to do is convince the buyer that they are that same person, which is pretty easy to do given that most eBay users have no idea how to spot a faked email from eBay.[/p] All the scammers need to know is the ID of the person who won the item plus a description of the item itself. Both of these can be scraped from eBay's web-pages with minimal effort. The clever part of the trick is that they send a faked email which appears to come from eBay advising the victim to send the funds to a completely different CMNGT* account. Presumably this CMNGT* account dumps funds into a current account which has previously been compromised.[/p] This is perfect social engineering: The scammer does not even need need impersonate the seller. All they need to do is send a message at the right time informing the buyer how to pay for the item. Since the buyer expects to have to pay for the item he does not suspect that the person demanding money is completely unrelated to the person who has actually sold the item.[/p] They do not even need to have fully compromised the seller's account since the first stage of the scam (reported last week) is designed to get people to stop answering their eBay emails, thus making it a great deal easier to abuse the account. All they have to do is give an eBay ID which they know is inactive.[/p] That's where I come in. Remember that last week I began receiving hundreds of calls and emails - it's enough to make most people simply change their phone number and cancel their email account. That's a very good way to guarantee that an eBay account is inactive.[/p] What have I learnt from this:[/p] [ul][li]I'm never going to give away my phone number on eBay auctions. From now on I will use a skype number. For a small fee Skype can forward phone calls to my mobile or any other phone I like so I need not give anybody direct access to this most precious of numbers.[/li][li]Secondly I'm going to set up a special disposable email account exclusivly for eBay use. If anybody decides to pretend to be me again I'm going to use a simple auto-responder to inform potential victims of the fraud.[/li][/ul]