Sunday, December 17, 2006

ebaY Insider Hijack Scam?

ebaY Insider Hijack Scam?
Sat 16 Dec 06

On Tuesday 12 Dec 2006 we received an email from a subscriber, describing how his ebaY selling account had been hijacked, and was being used to sell BAPE Hoody shirts. There were many interesting elements of this hijacking, different from those we have seen in the past. Upon seeing items he had not listed, the legitimate account holder, let's call him Jack, removed the listings and changed his password on the account. In addition he found that all his email notification preferences had been set to NO. He set them back to YES. By lunch time, the fake items were back, so this time using a work computer, Jack changed his ebaY password again. This made no difference and the items reappeared.

Jack's home computer is firewalled and has a full complement of detection software installed and active. He is a savvy user well versed in phishing, and has not responded in a long time to any ebaY "second chance" offers. He has not logged in to ebaY via any channel but his own links, and he has not filled in any pop up sign in request. Jack's work computer is on a very secure system, as he works in an industry where online security is paramount. He did not fall for a scam, have his computer invaded, have his identity stolen or compromised.

In trying to analyze what was going on, it appeared that the hijacker or hijackers had to have access to accounts independent of passwords, and have the ability to set account parameters so the legit account holder would not know what was going on. If this is so, it either points to someone working inside ebaY, or to a security hole so big, you can drive a tractor trailer through it. Neither situation is tolerable.

Searching ebaY for BAPE Hoody, brought up 140 pages of one day listings. All the one day listings were on hijacked accounts, and the hijacked accounts were used in groups by the first letter, so accounts with very high (usually 100%) feedback, starting with the letters G, H, I, J were in great evidence. The accounts were US accounts, but in reading the description, certain phrases would indicate that English was not the scammers first language. A check of the feedback would show the legitimate account holder as being a buyer only, or a seller of items not including designer clothing, or any clothing for that matter. Many accounts had been inactive for many months or years.

We did a buy it now on one item that was evidently on a hijacked account. We pulled the account holder's contact info, and it all appeared legitimate via a white pages check. We checked their email address against their PayPal address on PayPal, and that too appeared legitimate. The scammer never contacted us for payment, so we don't know how that part of the scam would have worked. Other emails with questions sent to the scammers by the folks helping us with this investigation, yielded answers such as "yes, if you buy two items ,you only pay them with 150USD .thanks" and "to you address total pay only US160.00" again suggesting that English was not their first language, and that the scammer had access to emails sent through the ebaY system. We tried another two BINs, but never heard from the scammer, despite repeated requests for payment information. The net result is, we don't know how the scammer worked this so that they received the payment rather than the legitimate account holder. We did eventually receive an email from the legitimate account holder on the last two BINs we did, saying their account was hijacked and not to make payment.

These items continued to be listed every day, with ebaY only shutting down a small percentage of them. If this is an ebaY insider job, TAG is baffled as to why they haven't tracked this to the source and shut it down.

As a matter of interest, some of the images have been tracked to this source whose domain is registered in Beijing, China - -

This story is ongoing, so we will update it as we find more information.


Scat said...

I was also a victim of this hijacking. There were 50 Bape Hoody shirts for sale on my account. eBay removed the items before I was aware of the problem, and notified me via an alert.

Like "Jack", my home computer is firewalled and I have all the latest detection software current and running. I work in IT for a major bank, and am well versed on security issues and how to spot and avoid them.

I notice as of this posting that there are currently over 3200 of these same shirts for sale on eBay. Most of them have shipping charges exceeding $30. A check of the sellers indicates that the majority of these accounts have also been hijacked. A search of completed items for the shirts is currently over 21,000 items; again, most appear to be fraudulent.

I, too, wonder how long eBay will continue to list these items...

Anonymous said...

I was victim of the hoodie hijack as well. (perfect feedback). I have over 10 yrs of programming experience and know the security game. I had a strong complex password, current Norton & spyware running, tight firewall, no phishing, etc. My thinking is that something wierd (ie. big hole) is going on with their system. Thank goodness they caught it quickly. Very disturbing however.