Saturday, October 27, 2007

A Solution to Get Fraudulent Listings Removed From ebaY FAST

ebaY has always lied about screening their listings to prevent fraud, prior to indexing them to the site. It was a good sounding PR story to cover their asses for their lousy indexing times but obviously false, since anyone outside ebaY can do a simple search of whatever is the scammer key word of the day, and finds hundreds and even thousands of fraud listings.

It is also obvious that ebaY will not now or ever hire the personnel they need to actually monitor their site, unless forced to by the courts or legislation.

Well we have come up with the solution for ebaY. (ebaY - when you read this please note the copyright - We would be glad if you implemented this idea, if you PAY us for it!)

In a nutshell - ebaY should pay their users a bounty for finding fraudulent listings.

To implement it -
1. Set up a live chat category where you have to log in, for reporting fraudulent listings (this is fraud only - not legit listings that might contain a violation of ebaY rules)
2. For every user ID an ebaY user turns in, that has visible fraudulent listing (redirects, overlays, hijacked accounts) ebaY pays the user (we suggest $25. but maybe they should start with $10, then increase as the incidence of fraud diminishes). If ebaY wanted to be really cheap, they could make the money a non expiring coupon only good for use on ebaY via PayPal (to buy items or pay seller fees) - in that way it would be fake money, not really costing ebaY much of anything in real dollars.
3. ebaY would "pay" every user who reports the user ID, and that would be valid until ebaY closes down the fraudulent listings posted by that ID so they were no longer visible on the site. This would motivate ebaY to use trained personnel for this special reporting board, who can recognize fraud when they see it, and close it down ASAP, rather than letting it run for hours, days, weeks, months, like they do now. The user reporting the items can take screenshots time stamped, of their chat and of the ID reported with items showing, to keep track of and prove they made a legit report - just in case ebaY tries to welch out.
4. At the end of the year ebaY could award a real money or stock bonus to the top fraud beaters - those who turned in the most accounts being used for fraud. Great PR.

This benefits ebaY in so many ways it is hard to fathom why they would not do it.

1. They already have the structure for reporting in place.
2. This would get the reports of such items off ebaY's chat/discussion boards, and probably off most of the off ebaY chat boards, as folks would have a reason to report them first BEFORE posting them in the public eye. If ebaY did this correctly, those listings would be gone - both before they could be seen AND before anyone could get taken.
3. Not only would the cost of this be minimal (paying a pittance to users rather than having to actually hire personnel), but they could use it as an actual example of both working with their community and actively combating fraud on their site - rather than just giving lip service to both. ebaY CLAIMS that fraud is less that one hundredth of one percent on their site - so just think how little this would cost them for so many tangible benefits.
4. This would clean up such fraudulent listings FAST. Currently ebaY tends to punish (threaten and suspend) users who report too much fraud, especially those who post about it on the ebaY chat boards. This generates lots of hostility, and is self defeating for ebaY, generating plenty of bad press. This idea eliminates all those negative factors.

ebaY - get moving! You know TAG's phone number, call and we can negotiate a price for this idea!

Wednesday, October 17, 2007

Looks as if ebaY is testing a customer service phone number being made available to "regular" users. The message shows up in My ebaY - The person who received this message it is a casual user of ebaY, buys and sells once in a while.
-------------------
Dear users name (user ID):

As one of our most loyal and active members, your membership status entitles you to a toll-free telephone number to contact eBay's customer service directly.

We're here to help if you need us, so the next time you need assistance from eBay, you can give us a call:

800-717-EBAY (800-717-3229)

This phone number is only for members like you who have been invited to
participate, so please be ready to provide your member ID when you call.

We appreciate your choice to use eBay and look forward to helping you make the most of your shopping experience. Please call us if you ever need a hand.

Sincerely,

eBay Customer Support

P.S. From time to time, if we notice you are having an issue with a transaction or a problem with your account, we may proactively try to reach you. Please help us provide the best possible service--make sure we have your correct contact phone number: www.ebay.com/UpdateContact
------------------
If you are not on their "list" they hang up on you.

Of course under the "will ebaY never learn" category, ebaY has a clickable link in the message that takes you to a redirected ebaY log in page. Is this an early holiday gift for the scammer set, who are sure to mimic the message for phishing? ebaY NEVER seems to learn from their prior mistakes. TAG guesses that ebaY feels their My ebaY and My Message system is secure, though those of us who follow ebaY know that NOTHING is secure on ebaY. ebaY opening another door for the scammers to exploit by putting a clickable link in what we are assuming (a dangerous thing to do) is a legitimate message, just facilitates the scammers.

Wednesday, September 26, 2007

Has YOUR ebaY Account Been Compromised?

On Tuesday 25 Sep 2007 at 5:42 AM ebaY time, a hacker posted 29 to 50 pages of ebaY user information on the ebaY Trust and Safety discussion board (at approx 40 threads per page that is between 1100 and 2000 user IDs). The information was posted by using the user ID and account of the user whose information was posted, and included the ebaY user ID, email address, phone, name, street, city, state, zip, country, feedback info, what site they registered on, user status, powerseller status, payment method they used to pay ebaY, credit card number (with expiration date), credit card CVV2 code (the three digit security code on the back of the card), whether they are id verified, if they have an ebaY store and which site that is registered on, and if they are PayPal verified or not verified. The threads that contained the info also had a signature at the bottom of the post - SGI Inc. - emocnI gnitareneG rof snoituloS (Solutions for Generating Income spelled backwards) SGI Inc. is the company name used by Vladuz, a hacker who has demonstrated that he has the ability to access ebaY databases.

This first image shows the ebaY Trust and Safety discussion board thread list, with a detail of the thread listings.


The next image is the actual thread page you saw when clicking on the thread link from the previous image. We have masked parts of the info to protect the innocent.

Note the Vladuz signature on the bottom line
For more screen shots of the pages, please go to
TAG CHAT

After around 90 minutes of exposure, ebaY shut down the Trust and Safety board, occurring at around 7:15 AM, after trying to remove the thread posts at a time (the hacker was faster at posting than ebaY was at removing). One poster on the board discussing this incident, who saw the information, ran one of the credit card numbers posted through his merchant account verification, and it came back correct. Other posters said the CC info was not correct. Board posters got screenshots and compiled a list of user IDs so folks could check to see if their user ID was posted. When one board poster put the list on her ebaY Me page, ebaY removed the page and gave her a pink slap (an official violation notice with the threat of suspension).

We have a list of the IDs we have compiled from some of the screen shots we had access to and those lists posted by other folks on various boards (including ebaY's) around the net. You can view the list we compiled at this link. This list is NOT complete as it is believed there were over 1500 user IDs posted.
Compromised ID List


The first ebaY responses were posted on their discussion boards, and then removed, and were an obvious effort to cover themselves . Xavier's posts were removed soon after they were posted.

xman@ebay.com View Listings | Report 26-09-07 00:31 EST 58 of 61
Hi all, we're looking into why this happened however I've confirmed with the US teams that the credit card information was indeed false for all the accounts.

Looks like it only affected that 1 US Board but the engineers are diligently working to ensure this won't ever happen again.
Xavier
The eBay Team
-------------------
xman@ebay.com View Listings | Report 26-09-07 00:47 EST 82 of 88
The site wasn't actually hacked... it was a server issue where the system displayed the poster's information rather than the post itself. Being that the credit card information was on a different server, that info came up incorrect. It was not some hacker sitting there entering in someone's information and using a card generator.
Xavier
The eBay Team
---------------
Trust & Safety forums issue this morning

Posted by eBay Chatter on September 25, 2007 at 02:15 PM in General | Permalink

Some of our readers may have learned of an issue that occurred early this morning on one of our discussion forums. I've been talking with our Account Security and Legal teams, and I'd like to share some more details about this incident.

Very early this morning, a malicious fraudster posted on the Trust & Safety forum on eBay.com posing as approximately 1,200 eBay users. The fraudster made these posts in a way that was intended to appear as though he logged in with their accounts. The posts contained name and contact information, which appears to be valid, and could have been secured as part of an account take over.

The posts ALSO appeared to contain credit card information -- however, these credit cards are not associated with financial information on file for these users at eBay or PayPal. We're in the process of reaching out by phone to these members to, so that if the information is valid somehow -- regardless how this fraudster acquired the information -- these members can take the steps they need to take to protect themselves.

eBay and our forums vendor, LiveWorld, began taking steps to remedy the situation within an hour after it started. As things evolved behind the scenes, a decision was made to make the the Trust & Safety forum unavailable to our Community. It's still temporarily inaccessible, as the teams work on this issue.

I'll update this story later as we have more to share.
----------------

Various ebaY spokespersons also made statements to various press inquiries and calls to them by power sellers etc, that this was a hoax, that the information had been posted by a disgruntled user with access to the API, that the information was not valid, that the credit card numbers were not real and if they were real, they did not come from ebaY's database and were unrelated to info on ebaY. ebaY also said the information was real but had been phished from users off ebaY (this is ebaY's favorite excuse for security breaches even though it has been proven to be false on many occasions). What ebaY did not do (and still has not done) was post anything on the announcement board, informing users of the problem and warning them to watch their accounts and charge cards for possible breaches. Users have reported that ebaY has been making calls to those whose information was posted, to inform them of the breech. This is required by California law, whenever a breach of user information occurs.

With all the rumor, hearsay and damage control going on, there are still some hard facts that need to be looked at:

Fact 1 - Someone had the ability to post on ebaY's boards with the user ID and account of another person. This takes having an ebaY password for the account, or the ability to access and use accounts without passwords. This person was able to post threads at a rate of speed faster than ebaY's ability to remove the threads, leading them to have to shut down the Trust and Safety board completely.

Fact 2 - TAG had access to a small arbitrary sampling of the user account pages posted and checked what information we could against what is available to ebaY and PayPal users, and to those using the internet. Here is what we found:

*The User ID, email address, date registered, if they had a store or not, and feedback numbers registered/shown on ebaY matched 100% of the time
*The PayPal information as to the user having a verified account or not, was correct 83% of the users
*The ebaY ID verified information was correct 83% of the users
* When a reverse lookup online was used on the phone numbers to check name/addresses listed, 33% did not match the name or address, 50% were unlisted so were unavailable to check, and 17% were correct for the info shown
* When an address check was run using the white pages online with the name given, 66% of the information did not match, 17% were correct and 17% were listed as unavailable

We could not check the credit card numbers, and decided these people had probably been harassed enough about this, so we would not call them directly to ask them to verify. But, if you are one of the people whose accounts were posted and your credit card info does match that shown on the ebaY T&S board, and particularly if that information is the information used on ebaY's site, please feel free to contact us and let us know and we will update this information here.

Fact 3 - ebaY always chooses to lie, cover their back and waffle rather than coming out and telling the truth, whether that truth is that they just don't know what happened or how, or that their system had been compromised in some way (which it evidentially had been in at least some manner - see fact 1). They lie so readily and frequently that it is impossible to believe anything they say.

Fact 4 - evidence of problems with ebaY's system can be seen via the hundreds and thousands of scam listings posted on ebaY every day. Though the furor of reporting about this has fizzled out since the mass of Vladuz reporting earlier this year, the incidence of these listings is an every day occurrence on ebaY.

Since ebaY obviously does not know how deep this problem goes, it is possible that ALL user information on the ebaY site has been breached, so if you have ever used ebaY, and have any sensitive information recorded on the site - such as a credit card or bank account information - you need to monitor your accounts for possible problems. Unfortunately, ebaY is not the only site vulnerable, online or off, so regular checks of your credit card bills and bank accounts should now be a way of life, individuals MUST make this part of their usual routines. The other thing that is abundantly clear in all this, is that ebaY is NOT secure, even if we just consider the user ID email address factor that ebaY is so adamant about in their hiding user IDs from users, but obviously not from scammers, but then ebaY's lack of secure systems has been obvious since we first reported on the activities of Vladuz and the Chinese hackers, 11 months ago.

Assistance with this article needs to be credited to
Doc at EBAY MOTORS SUCKS - this is a good board to check for the day to day hacker listings on ebaY and especially for anything going on at ebaY Motors
The posters on the ebaY Seller Central Discussion Board
The posters on the ebaY AU Discussion Boards
And several ebaY users with the guts to posts User ID lists on and off ebaY, so they were available to all ebaY users despite ebaY's efforts to hide as much information as possible.

Want to assist TAG in continuing its work? Sign up for a voluntary subscription to TAGnotes, and provide support that will keep information coming to your email boxes and the lights on at our websites. To purchase a voluntary subscription, click on the button that follows.








Tuesday, July 03, 2007

Consumer Reports Aug 07 on ebaY

CR did a report on ebaY for their August Issue. Though it obviously did not have all the right questions to ask, it did have some interesting results.
Read ebaY Report

HALF (yes that is 50%) of buyers, said they had been "deceived" by the seller in some way, from not as described to outright fraud.

40% (which gives ebaY a positive feedback rating of 60 out of 100%) said ebaY's customer service in providing help was fair (neutral) or poor (negative). Well that DEFINITELY puts ebaY in the suspended category according to their own system - much lower than the lowest 5% on their site! And that was just from buyers - can you imagine what it would have been from sellers?

Wednesday, June 27, 2007

New Online Auction & Trading Industry Discussion Board

Join up to freely discuss the industry on our chat/discussion board at www.tagchat-oai.com

ebaY Hypocrisy Reaches New High

In the aftermath of ebaY Live in Boston, ebaY has implemented a plan they feel will improve the "buyer experience" on ebaY. Whilst the general idea behind this plan may not be too faulty - though it IS in contradiction to ebaY's venue only policy in their user agreement - as always, ebaY's implementation is obscene.

What ebaY is doing is suspending some sellers who have complaints from buyers. ebaY is not looking at the complaints to see if they are legitimate, just giving the seller a 7 to 14 day suspension with the threat of permanent suspension if the seller does not go back and fix the problems, and refrain from having further problems. So, if the complaint is from a deadbeat buyer, who did not receive the item because they did not pay for it, this counts against the seller. If the complaint is from a thief who refuses to return the item but still wants a full refund, this counts against the seller. If the complaint is about a flaw in an item, even if the flaw was stated in the description, the complaint still counts against the seller. If the complaint is from a buyer, who tries to use the rating or complaint system to blackmail the seller into selling them something at a ridiculously low price, the complaint still counts against the seller. If the complaint is from a buyer, who wants the seller to do something illegal, such as falsify customs forms, the complaint counts against the seller. This is obscene, and should definitely be investigated as grounds for a class action lawsuit against ebaY, or at the least an investigation from State Attorney Generals.

ebaY says "eBay will consider the circumstances of an alleged policy violation and the user's trading record before taking action." and "If a complaint can't be proven with certainty, eBay may take no action." Both statements are lies, as ebaY does no investigating and ignores emails from sellers trying to explain the situation. ebaY also says, "Further, sellers are expected to perform in a manner that results in a consistently high level of buyer satisfaction. If a seller's interactions with the eBay Community create unacceptable levels of buyer dissatisfaction, that seller has violated this policy." As with many ebaY policies (written and unwritten) what is considered an acceptable level is kept a double super secret, because the knowledge might lead to seller abuse of the system (huh?). In truth the reason ebaY keeps such information secret is so that there is no one standard everyone has to follow, but ebaY can assign an arbitrary figure to suit their needs. As always, there is noone at ebaY the seller can contact to get such issues resolved. ebaY ignores emails, sends canned automated answers, and as usual, slams the door in the seller's face, even if ebaY is completely wrong in their action.

There are many many large sellers, whose accounts far exceed these arbitrary negative ratings, yet those accounts remain active and untouched by ebaY. The sellers we have been hearing from report that they are told they are in the "lowest 2% of buyer satisfaction" or have a 5% negative rating in the last X number of days (with X also varying to fit ebaY's needs).

Of course the ultimate hypocrisy lies in ebaY's satisfaction rating from their customers, the sellers. TAG wagers that ebaY's rating would be lucky to exceed 50% satisfaction, and definitely would not be close to 95% satisfactory. ebaY should shut itself down, based on its own standard, but then hypocrisy and lies are what ebaY, the company, is all about.

Thursday, March 15, 2007

Is ebaY Holding the Smoking Gun?

The Preponderence of the Facts Show That ebaY is Holding The Smoking Gun
14 March 2007

It must be pretty obvious to our readers that TAG has been convinced for quite a while that ebaY is lying when they say Vladuz - and by extrapolation the Chinese hijacker/counterfeiters - has no access to ebaY other than through the phishing that takes place off ebaY. Only ebaY knows the whole truth, and all TAG, being on the outside can do, is use our 10 year intimate knowledge of ebaY and theorize on what we can observe. ebaY says that their site is secure and that no one has accessed their back end, as TAG has theorized. They told TAG that it is a FACT that no one has direct access to ebaY,

" We can hopefully address your 'concerns about the Vladuz problem' with the facts below."

" There is no way of gaining access to our internal networks without a securid token issued by IT."

"At no point did he have access to our corporate networks, tools, financial databases, or desktops, and at no point was any user information exposed."

"No one can access a user account without a password"

We already know, for a FACT (a real one not an ebaY corprobabblespeak one) that the following fact is a lie,

" Some messages were published on a community board on the eBay.de (Germany) web site by a person who gained access to a small number of employee email accounts."

since Vladuz posted on the boards today, using ebaY employee accounts, for the fourth time since he was shut out of that "small number of employee email accounts." Can there be so many gullible ebaY employees falling for phishing scams, and doing so whilst this massive attack against the ebaY site is going on?

What is most interesting about today's postings however, is that the account hijacks appear to have finally provided the smoking gun, with ebaY's fingerprints on it. Possibly irrefutable proof that ebaY is lying, that their site has been compromised, and that the back door is wide open.

Today, one of the accounts Vladuz, under the User ID Vladuz-Unleashed, used, is an account for an ebaY employee, kelbel@ebay.com


kelbel@ebay.com has what appears to be a test ebaY shop


Though kelbel@ebay.com has only one (1) feedback from another ebaY employee, kelbel has a power seller logo.



It is fairly obvious that kelbel@ebay.com is not a real person, but an account created by ebaY to run whatever various tests and experiments they feel they need. ebaY has lots of things they test, so this is just another one of them. BUT, if there is no real person named kelbel@ebay.com HOW did that non-existent person fall for a phishing scheme that allowed "his" information to be added to a phishing database? And if the account was hijacked without such access, then ebaY is lying about all of their alleged facts, and about phishing being the road to access to all these hijacked accounts, ebaY's and everyone else's.

At what point does ebaY's lies become criminal activity? At what point do they become liable for what is going on? They might already be violating the California law that requires them to contact California account holders when their ebaY accounts are compromised through access to ebaY's servers. What other laws are they breaking? Customer trust is eroding fast; will stockholder trust be far behind?

Tuesday, March 13, 2007

Whitman Fiddles as ebaY Burns

13 Mar 2007

Whilst Meg Whitman stood and played her fiddle at the Visa Security Summit, confidence in ebaY's security continued to burn to the ground. Adding fuel to the fire is Vladuz, defeating every ebaY effort to keep him from posting as an ebaY employee on ebaY's boards.

Meg Whitman blamed everyone but ebaY for the huge security hole that has made ebaY the plaything of Chinese hijackers, selling their counterfeit merchandise to the markets ebaY attempted, and failed, to deny them. Meg Whitman blamed Microsoft, Yahoo, the victims of the hijacks, Vladuz and probably The Auction Guild, for the flaws that are no doubt the fault of ebaY's bloated, patched, corrupt and insecure coding. She thinks every other company but ebaY, should spend their dollars, hire personnel, fix their security, and build tools for ebaY to use for free, so that ebaY users can't get scammed, and user confidence in ebaY continue to turn to ash. She does not mention, and definitely wont implement, even the most basic things that ebaY could do to assist themselves in curtailing their own problems (more on this later). Meg Whitman does not want to spend a penny, as that might adversely affect ebaY's ability to continually fool potential ebaY stock buyers that ebaY is a good investment, and a safe and fun place to sell and buy merchandise. There should be no misconception. ebaY is not safe and secure, has not been able to secure their own site, and potential investors should not waste their money on ebaY stock, until ebaY demonstrates the ability to secure the site.

ebaY keeps saying that Vladuz had a one time access to an employee account that contained old screenshots, and that ebaY shut his access down. Yet for the third time since he was allegedly shut down, Vladuz again posted to the ebaY Germany and US boards today, with an ebaY employee account.





A search of the ID yielded the following screenshots, showing the poster's profile and user ID history.




In and of itself, access to ebaY employee accounts is possibly not important. But the fact that ebaY can't secure even their own employee accounts is definitely indicative of more serious security flaws. These other security flaws are being demonstrated by Chinese counterfeiters listing upwards of 3 million items each and every day on ebaY, using fresh cherry picked accounts each time. The counterfeiters are also receiving payment through PayPal, and TAG wonders if ebaY continues to allow this, since this is the only money ebaY is earning on the transactions. Since the listings are on hijacked accounts, ebaY is not making anything in listing or final value fees, but PayPal takes its cut before the money is sent to the account holder.

Other indications of security flaws are the ability to override ebaY's listing parameters. Scammers and counterfeiters have been able to list items with titles longer than ebaY allows, add information to running legitimate listings, list items on NARU (no longer a registered user - closed or suspended accounts), list items on accounts that are only set up for buying, (buyer and seller accounts require different financial information) access accounts without having the password, and the ability to sell hundreds of items on accounts that don't meet the criteria for use of certain functions such as Buy It Now. In addition the listings appear to index in search immediately, and long before normal listings do. All these are indicators that the scammers and counterfeiters have a level of access and the ability to manipulate the ebaY system far beyond what they would have if they had only hijacked a regular users account via a stolen password using phishing. ebaY needs to explain how these things are happening, if all the blame is to fall on ebaY users.

This is a screenshot of an active listing on a NARU account. Unfortunately we did not get a screenshot of the sellers list of 205 items on this NARU account.


There are things ebaY could do right now to cut way back on these problems, without actually fixing their bloated, patched, corrupt and insecure kludge coding. These would only be stopgap measures until real fixes were put in place. Of course to do this, they would have to hire personnel and spend money, which at ebaY appears to be a crime of the first order, and a thing they wont do until their hand is forced.

1. Delete all accounts that have been inactive for a year. That is DELETE, as in remove totally from the database, not put into some accessible hole that the scammers can access. If they don't want to just delete inactive accounts, then send an email to the account holder asking the holder to go through their normal links to confirm they still want the account. Account holders should have to confirm unused accounts annually.

2. Require every account to be funded, either by cash, check or credit card. Even a minimal deposit of five or ten dollars for each account registered would cut down on the millions of superfluous accounts that are just sitting around waiting for the scammers to use them. Delete every account not funded (see1. for what delete means) This would also help cut down on some other problems, such as accounts registered for deadbeat bidders to use to wreak havoc on sellers they don't like or just or the fun of it.

3. Require a secure password consisting of letters, numbers and characters. This is such a basic security feature it amazes TAG that ebaY does not require it.

4. Require that sellers of items that are normally counterfeited be bonded. This is probably a good idea for all sellers who habitually sell high ticket items, including ebaY Motors. Reasonable limits could be set, so that anyone selling over X dollars a month of these items must be bonded.

5. Eliminate 1 day listing, and possibly 3 day listings. There is no reason for these to exist, and though Buy It Now and store listings amount to the same thing, they at least have some restrictions in place. Of course it appears the scammers have the ability to subvert all restrictions, but getting rid of all 1 day listings might filter some of the garbage out.

It would behoove Meg Whitman to implement these stop gap measure, expending her employee's energy on these measures as opposed to deleting postings and threads about the problems, suspending users who talk about the problems, lying about the extent of the security hole, and adding sites that publicize these issue, such as The Auction Guild and Falle-Internet.de, to the blacklists on sites such as AOL, Yahoo and the phishreport.net organization. And if ebaY actually plans to continue to be a marketplace, they need to hire some programmers and rebuild the entire program infrastructure from scratch, so that holes such as that exploited by the Vladuz's of the world are closed.

If you want to read more about these issues, and get the latest as it happens, keep your eye on these sites:
ebaY Motors Sucks
FireMeg
Falle-Internet

Articles at -
http://redtape.msnbc.com/2007/03/how_far_has_vla.html
http://www.eweek.com/article2/0,1895,2100808,00.asp
http://www.eweek.com/slideshow/0,1206,a=202474,00.asp

Information for this article came from -
http://news.zdnet.com/2100-1009_22-6165628.html?tag=nl.e550
And from several TAGnotes subscribers and information providers who choose to remain anonymous, but whose efforts we appreciate immensely

Friday, February 23, 2007

ebaY Tries Intimidation

24 Feb 2007

For all of you that are following the Vladuz story, TAG has commented several times on how ebaY seems to be expending more energy on keeping the information hidden from the public, than on doing anything about the problem. Here is some proof that this is so.

Though the various Vladuz threads on ebaY US and ebaY UK are removed promptly, for a while, the Vladuz threads on the ebaY DE boards were allowed to remain. TAG referenced those threads in some of articles on the TAG website, and back in Jan, when Vladuz visited the TAG website, he/she was made aware of those ebaY DE threads, and went there for a visit. Vladuz spent some time posting on the ebaY DE boards, and when those threads started to attract lots of international attention, ebaY shut those threads down also. What ebaY also discovered is that there is a German website named Falle-Internet that is providing information about fraud, and scams online and in particular about ebaY DE. There are also several threads about Vladuz on the site.

On 19 Feb 07, TAG received an email from one of the folks who is a contributor to the Falle site, and included mail that the company that hosts their server received from ebaY. An excerpt from the correspondence follows:

From: snoyce@ebay.com
We have just learned that your service is being used to violate eBay Inc.'s trademarks and/or copyrights. Specifically, it appears that a xxxx user is hosting a page at 88.198.157.106 - http://www.falle-internet.de/de/html/pr_vlad.htm which uses our trademarks inappropriately.
While we believe that the above information gives your company more than a sufficient basis for disabling the page immediately, out of caution we note that your user's unauthorized reproduction of eBay's trademark and copyrighted materials violates federal law, and places an independent legal obligation on your company to remove the offending page(s) immediately upon receiving notice from eBay, the owner of the copyrighted materials. Accordingly, the information below serves as eBay's notice of infringement pursuant to the Digital Millennium Copyright Act, 17 U.S.C. Section 512 (c)(3)(A):

I, the undersigned, CERTIFY UNDER PENALTY OF PERJURY that I am the agent authorized to act on behalf of the owner of certain intellectual property rights, said owner being named eBay Inc. I have a good faith belief that the website located at URL http://www.falle-internet.de/de/html/pr_vlad.htm has its copyright in each page of its website and associated source code.

Please act expeditiously to remove or disable access to the material or items claimed to be infringing.

We sincerely appreciate your immediate attention to this important matter. We would also appreciate if you would take steps to confirm the accuracy of any contact information that your user may have provided to you in establishing the account. Should you have any accurate information that could assist eBay and law enforcement in tracking this individual, we greatly appreciate your assistance, as we know that you do not condone the use of your services for such criminal purposes.

Finally, please be advised that we have referred this issue to the Federal Bureau of Investigation for their investigation. The F.B.I. has requested that we convey to you in this message their request that you preserve for 90 days all records relating to this web site, including all associated accounts, computer logs, files, IP addresses, telephone numbers, subscriber and user records, communications, and all programs and files on storage media in regard to all Internet connection information, pursuant to 18 U.S.C. ? 2703(f). While we do not act as an agent of the FBI in conveying this request, we do intend to fully cooperate with their investigation, and encourage you to do so as well.
-------------------

Well, anyone receiving such an email would be bound to feel threatened, at least until they looked a little closer. Fortunately the server host receiving this intimidating email did not overreact and take the site down, but instead contacted the Falle folks. The Falle folks did take down the referenced page, but only until they could get more information from ebaY as to exactly what ebaY was objecting. There was nothing on the site that should have caused a problem, and nothing that was not also on the TAG site and other sites such as ebaY Motors Sucks.

On closer inspection of ebaY's threats, the whole thing looks foolish and silly. To start with, the FBI has no jurisdiction in Germany. In addition, the Digital Millennium Copyright Act, 17 U.S.C. Section 512 (c)(3)(A) is a US code, not a German one. To our legally untrained eyes, it does not appear that ebaY has a legal leg to stand on, and TAG wonders if this letter would fall under intimidation and harassment by ebaY. What possible criminal activity Falle could have committed, remains a complete mystery to even a fervent imagination.

Another thing that happened to the Falle-Internet site, and also to the TAG site, is that both our sites are now showing up on various toolbars as fraudulent sites. The following image shows up if you go to the auctionguild.com site (and also the Falle-Internet site) and use the Opera browser and toolbar. It says, "This site has been found on Opera's blacklist of suspected fraud sites. Exchanging sensitive or confidential information with this site could put you at risk for identity theft and/or financial fraud."



Isn't it an interesting coincidence, that some mysterious organization has decided to report sites as being fraudulent that are publishing information that could have a negative impact on ebaY's stock price? Since the TAG site has been around since 1999, has never been designated as a fraudulent site before, asks for no sensitive information of any kind, and you don't even have to accept a cookie to use the site, how the folks at Opera can justify this warning, is beyond us. One assumes that they would need to get such a blacklist request from someone with influence, to blacklist a site without even checking the site in question.

We will try to contact Opera to see if they can get this reviewed and fixed, and would also greatly appreciate if any of you out there who use the Opera browser and toolbar, report to Opera that this fraudulent site designation is false and should be removed. Also, please check the auctionguild.com site the Falle-Internet.de site, and even the ebaymotorssucks.com site to see if they show up as fraudulent, using any other toolbars you might use, and let us know, and also let the toolbar site know that any fraud designation is false.

ebaY on Vladuz, Deny and Lie

23 Feb 2007

TAG has been deeply concerned over the completely open ebaY back end, which has allowed the hackers and the counterfeiters complete access to unlimited ebaY accounts and listings. All ebaY has done, so far as we can tell, is to disappear threads on their site discussing the subject, and attempt to intimidate and threaten websites that have recorded the incidents, and provided access to this information to the public.

On the first of February, TAG wrote to Rob Chesnut, Senior Vice President of Trust and Safety at ebaY, in a futile attempt to get some reassurance that ebaY was actually doing something to close this hole. We referenced the articles on the TAG website we have written on this subject and asked what we consider the most basic question:

If as ebaY claims, the Vladuz back door program does not exist, then HOW are the Chinese counterfeit sellers hijacking thousands of accounts and using those accounts to sell their merchandise and get their payment through PayPal, all without needing passwords on those accounts?

Unfortunately Rob did not see his way clear to respond - on or off the record - and instead shunted the email off to a new and inexperienced ebaY PR person. We can just imagine how the folks at ebaY were probably laughing in their coffee cups about sticking this ingénue with responding to bid bad TAG.

The email we received said:

I have to say we were rather disappointed that you didn't try and contact us prior to writing the piece as when we read your article we have noticed it contains many inaccuracies.

We can hopefully address your 'concerns about the Vladuz problem' with the facts below. Once you've had a look at these, it would be great if we can chat about whether you will amend your current article.

- Some messages were published on a community board on the eBay.de (Germany) web site by a person who gained access to a small number of employee email accounts.

- Our corporate email system operates on an entirely separate database and server system than those that store customer information.

- At no point did he have access to our corporate networks, tools, financial databases, or desktops, and at no point was any user information exposed.

There is no way of gaining access to our internal networks without a securid token issued by IT.

- By policy, our Customer Support Reps cannot store or include any personal data of any user in their email account.

- We take these incidents very seriously, and we are working closely with US and International authorities to investigate it further.

We responded with:

Are you just a PR person or do you actually understand how ebaY works? I have been intimately acquainted with the ebaY system since 1997 and been writing about it since 1999. How long have you been with them?

Since ebaY usually refuses to talk to me, I rarely contact them in the first place. On the very rare occasions I have talked to someone at ebaY on the record, all I have gotten is information that is less than the truth, definitely less than the whole truth, and usually just corprospeak babble. ebaY lies so frequently, it is hard to tell the rare time they might actually be speaking the truth.

This is simple – give me a realistic explanation of how the Chinese hackers have unlimited access to US ebaY accounts so that they can cherry pick the ones they want, in alphabetical order, with specific profiles, without the need for passwords, with the ability to redirect PayPal payments to themselves, with the ability to change information within actively running legitimate listings, and I MIGHT believe what you have to say about there being no access to your corporate networks, tools, financial database or desktops.

How much of this information is available because of the tools Vladuz is selling, remains to be seen, but the research I have done does point to Chinese hackers being aware of the Vladuz tools. One could theorize that they have used his tools and improved on them, so that they now have their unlimited access to ebaY user accounts.

Now admittedly, this is not exactly friendly or diplomatic, but it was bluntly honest, our normal mode of communication.

ebaY's Public Relations response was:

I must say that I was quite surprised by your response to us. As a new member to the eBay PR team, I was in good faith trying to reach out and build a new relationship with you, because we as a team were hoping to engage with you in the same manner we do with all other journalists and bloggers. We wanted to create a successful working relationship based on honesty, trust and mutual respect. But, it's obvious from the tone of your email below that you do not wish to start a productive and positive working relationship with us, which is a shame.

I have already provided you with the facts for the story you have already published. As I mentioned before, we would expect you to amend your story to reflect the accurate facts, however, I shall leave that to your own judgment about what is most valuable for your readers to know.

Given your apparent disinterest in helping your readers by developing a productive relationship with us that is based on the qualities we value, we have decided it would not benefit any of us to continue the effort with future responses to any of your inquiries.

We tried again and responded with:

In the past I have tried friendly discourse with ebaY, and have received no valid answers to my questions. In the past I have been aggressive and have received no valid answers to my questions. My approach has made no difference in getting valid answers out of ebaY. There is also a history of ebaY acting in a bad faith way against me – so there is a good reason why my attitude is not one based on mutual respect.

I would be happy to open a new channel and start fresh with you, if you would give me valid answers to my valid questions.

In my email to Rob I did not ask about Vladuz hijacking pink accounts to play games on the German boards. This is a non-issue as far as I am concerned, except that it demonstrates additional vulnerabilities. What I did ask about was the FACT that Chinese hackers have unlimited access to US ebaY accounts so that they can cherry pick the ones they want, in alphabetical order, with specific profiles, without the need for passwords, with the ability to redirect PayPal payments to themselves, and with the ability to change information within actively running legitimate listings.

This is happening every day and I have records of dozens of screenshots of this activity on ebaY. Can you please address this very important issue?

At present, all the facts I have do not in any way agree with the things you say are facts. The evidence is to the contrary. There is not evidence, for instance, that even though ebaY might end listings on these hijacked accounts, they have any way to prevent the items from being listed again, or can in any way limit the 1 to 2 million or so listings a day being posted by these Chinese hijackers.

It would be wonderful if ebaY were to turn over a new leaf and develop a relationship with their community that was based on honesty, truth and mutual respect. As the person who has been writing about ebaY the longest, with a firmly established position in the industry as being forthright, trustworthy, and ethical, if you could actually develop a rapport with me, where honesty and openness ruled, it would be a great accomplishment indeed. This would reflect well on you, and on ebaY, and I challenge you to change the current climate between TAG and ebaY, and in turn with the entire industry.

Needless to say, the ebaY PR wonk did not respond. We were amused by the phrase that said, " I have already provided you with the facts for the story you have already published. As I mentioned before, we would expect you to amend your story to reflect the accurate facts"

Of course ebaY did not in any way discuss the issue of the nearly 2 million listings daily on hijacked accounts. The listings that are relisted as fast as ebaY can remove them - sometimes 3 or 4 times a day. This image is a pictorial view of what is happening on ebaY every day.




They did not discuss the ongoing fake second chance offers that continue to be sent to bidders on high priced items, despite ebaY's now hiding the bidder IDs. ebaY did not discuss that Vladuz has posted on several ebaY chat boards using ebaY employee IDs or creating his/her own ebaY employee IDs, such as his latest posting on the ebaY DE board



In fact all ebaY has done is deny and lie.

They say Vladuz, "...gained access to a small number of employee email accounts" when it is obvious that Vladuz can access whatever ebaY employee accounts, whenever he/she wants, on whichever ebaY site he/she chooses. They say, "...no one can access an ebaY account without a password" though we have proved this is not true. ebaY says, "...the hijacked accounts are due to people responding to phishing email", though we have proved this also is not always true, and can not be true where hundreds of accounts are cherry picked, in alphabetical order, and new accounts are used day after day. ebaY denies that anyone has access to their back end, and refuses to acknowledge or provide a single answer as to how the counterfeiters are using these hundreds of hand picked hijacked accounts to sell millions of counterfeit items, and get paid via PayPal through ebaY. TAG is convinced that if ebaY could fix this open back end problem, they would have already done so. The only logical conclusion is that they can't.

Surely it is time for ebaY to come clean on this, and reassure those who use ebaY that they know about the problems and are working on fixing them. They should set up a special team to monitor their own site to prevent these listings from even indexing on the site. As we said in our final email to that ebaY PR person, " It would be wonderful if ebaY were to turn over a new leaf and develop a relationship with their community that was based on honesty, truth and mutual respect."

Don't worry; we are not holding our breath whilst waiting for this change.

Friday, February 02, 2007

The Scammers Are Now In Control of ebaY

1 Feb 2007
Also see
ebay Insider Hijack Scam? and ebay's Back Door Wide Open & Letting Scammers In
And
ebaY Motors Hijacked

Those of us who have watched ebaY from a users perspective, for many years, have seen an every increasing ability for scammers to manipulate the site. In the last year, this access has gone from being outside manipulation of flaws and stolen personal information, to complete inside control.

These are the facts:

Every day thousands of listings from China selling brand name counterfeit goods are listed using hijacked accounts. These are usually 1 day listings, the accounts used fit a standard profile and are often accessed in alphabetical order. These listings are for brand name clothing, DVDs, sunglasses, and expand into other categories regularly. The scammer does not need a password to access these accounts.

ebaY Motors has ever increasing fraudulent listings. There are redirects from ebaY search results, manipulation of information in valid running listings, and ever more sophisticated cons, in addition to the all American fraud, found in some used car salesmen, that has been a caricature in our society since the advent of the automobile.

There is a brilliant hacker/codewriter who uses the moniker Vladuz, who makes ebaY his specialty. He has been writing ebaY hacks since 2003, as far as we can trace. This individual recently sent us a link to his latest hack, a tool that he posted on Firefox's plug ins. There have been several screen shots of ebaY's control utilities database posted on the net, on ebaY and off, all with a visible Vladuz watermark on the pages. Vladuz made the posts on ebaY, as far as TAG can tell.

ebaY knows about this problem, and has been removing any threads that appear on their site about it. They just removed a long running thread on ebaY DE, one on which Vladuz has posted on under various guises, including hacked ebaY pink accounts. At the end of December, TAG contacted ebaY through their Trust and Safety live support, and specifically told them what was going on. ebaY cannot say they did not know.

Here is what we have theorized based on all we have seen, and the facts we have:

Vladuz appears to have written a program that gives the scammers complete access to what we are calling ebaY's back end. This back end is the control utilities database used by ebaY, to track everything on their site, that contains all information about ebaY employees and its users. The following images are samples of what Vladuz has made available to the scammer marketplace.




The scammers who have purchased, or otherwise acquired the Vladuz access programs, appear to be able to manipulate the account information of every registered user ID on ebaY. They can monitor in real time what is happening in an account, read email sent through ebaY's system and respond to it through ebaY's system, change any parameter in the user ID account, so, for example, they can receive the PayPal payments the legitimate account holder would have otherwise received. They can add or remove information on a currently running listing without the legitimate account holder knowing it, and conduct business as they please; using all the hijacked accounts they please. No password access is needed. In the article ebay Insider Hijack Scam? we theorized that this was being done by an ebaY insider, as that was the only thing that could explain what we were observing. What we did not realize, and what even TAG found hard to believe, was that the scammers now had insider access, not by working for ebaY, but by using the program built by Vladuz.