Friday, February 23, 2007

ebaY Tries Intimidation

24 Feb 2007

For all of you that are following the Vladuz story, TAG has commented several times on how ebaY seems to be expending more energy on keeping the information hidden from the public, than on doing anything about the problem. Here is some proof that this is so.

Though the various Vladuz threads on ebaY US and ebaY UK are removed promptly, for a while, the Vladuz threads on the ebaY DE boards were allowed to remain. TAG referenced those threads in some of articles on the TAG website, and back in Jan, when Vladuz visited the TAG website, he/she was made aware of those ebaY DE threads, and went there for a visit. Vladuz spent some time posting on the ebaY DE boards, and when those threads started to attract lots of international attention, ebaY shut those threads down also. What ebaY also discovered is that there is a German website named Falle-Internet that is providing information about fraud, and scams online and in particular about ebaY DE. There are also several threads about Vladuz on the site.

On 19 Feb 07, TAG received an email from one of the folks who is a contributor to the Falle site, and included mail that the company that hosts their server received from ebaY. An excerpt from the correspondence follows:

We have just learned that your service is being used to violate eBay Inc.'s trademarks and/or copyrights. Specifically, it appears that a xxxx user is hosting a page at - which uses our trademarks inappropriately.
While we believe that the above information gives your company more than a sufficient basis for disabling the page immediately, out of caution we note that your user's unauthorized reproduction of eBay's trademark and copyrighted materials violates federal law, and places an independent legal obligation on your company to remove the offending page(s) immediately upon receiving notice from eBay, the owner of the copyrighted materials. Accordingly, the information below serves as eBay's notice of infringement pursuant to the Digital Millennium Copyright Act, 17 U.S.C. Section 512 (c)(3)(A):

I, the undersigned, CERTIFY UNDER PENALTY OF PERJURY that I am the agent authorized to act on behalf of the owner of certain intellectual property rights, said owner being named eBay Inc. I have a good faith belief that the website located at URL has its copyright in each page of its website and associated source code.

Please act expeditiously to remove or disable access to the material or items claimed to be infringing.

We sincerely appreciate your immediate attention to this important matter. We would also appreciate if you would take steps to confirm the accuracy of any contact information that your user may have provided to you in establishing the account. Should you have any accurate information that could assist eBay and law enforcement in tracking this individual, we greatly appreciate your assistance, as we know that you do not condone the use of your services for such criminal purposes.

Finally, please be advised that we have referred this issue to the Federal Bureau of Investigation for their investigation. The F.B.I. has requested that we convey to you in this message their request that you preserve for 90 days all records relating to this web site, including all associated accounts, computer logs, files, IP addresses, telephone numbers, subscriber and user records, communications, and all programs and files on storage media in regard to all Internet connection information, pursuant to 18 U.S.C. ? 2703(f). While we do not act as an agent of the FBI in conveying this request, we do intend to fully cooperate with their investigation, and encourage you to do so as well.

Well, anyone receiving such an email would be bound to feel threatened, at least until they looked a little closer. Fortunately the server host receiving this intimidating email did not overreact and take the site down, but instead contacted the Falle folks. The Falle folks did take down the referenced page, but only until they could get more information from ebaY as to exactly what ebaY was objecting. There was nothing on the site that should have caused a problem, and nothing that was not also on the TAG site and other sites such as ebaY Motors Sucks.

On closer inspection of ebaY's threats, the whole thing looks foolish and silly. To start with, the FBI has no jurisdiction in Germany. In addition, the Digital Millennium Copyright Act, 17 U.S.C. Section 512 (c)(3)(A) is a US code, not a German one. To our legally untrained eyes, it does not appear that ebaY has a legal leg to stand on, and TAG wonders if this letter would fall under intimidation and harassment by ebaY. What possible criminal activity Falle could have committed, remains a complete mystery to even a fervent imagination.

Another thing that happened to the Falle-Internet site, and also to the TAG site, is that both our sites are now showing up on various toolbars as fraudulent sites. The following image shows up if you go to the site (and also the Falle-Internet site) and use the Opera browser and toolbar. It says, "This site has been found on Opera's blacklist of suspected fraud sites. Exchanging sensitive or confidential information with this site could put you at risk for identity theft and/or financial fraud."

Isn't it an interesting coincidence, that some mysterious organization has decided to report sites as being fraudulent that are publishing information that could have a negative impact on ebaY's stock price? Since the TAG site has been around since 1999, has never been designated as a fraudulent site before, asks for no sensitive information of any kind, and you don't even have to accept a cookie to use the site, how the folks at Opera can justify this warning, is beyond us. One assumes that they would need to get such a blacklist request from someone with influence, to blacklist a site without even checking the site in question.

We will try to contact Opera to see if they can get this reviewed and fixed, and would also greatly appreciate if any of you out there who use the Opera browser and toolbar, report to Opera that this fraudulent site designation is false and should be removed. Also, please check the site the site, and even the site to see if they show up as fraudulent, using any other toolbars you might use, and let us know, and also let the toolbar site know that any fraud designation is false.

ebaY on Vladuz, Deny and Lie

23 Feb 2007

TAG has been deeply concerned over the completely open ebaY back end, which has allowed the hackers and the counterfeiters complete access to unlimited ebaY accounts and listings. All ebaY has done, so far as we can tell, is to disappear threads on their site discussing the subject, and attempt to intimidate and threaten websites that have recorded the incidents, and provided access to this information to the public.

On the first of February, TAG wrote to Rob Chesnut, Senior Vice President of Trust and Safety at ebaY, in a futile attempt to get some reassurance that ebaY was actually doing something to close this hole. We referenced the articles on the TAG website we have written on this subject and asked what we consider the most basic question:

If as ebaY claims, the Vladuz back door program does not exist, then HOW are the Chinese counterfeit sellers hijacking thousands of accounts and using those accounts to sell their merchandise and get their payment through PayPal, all without needing passwords on those accounts?

Unfortunately Rob did not see his way clear to respond - on or off the record - and instead shunted the email off to a new and inexperienced ebaY PR person. We can just imagine how the folks at ebaY were probably laughing in their coffee cups about sticking this ingénue with responding to bid bad TAG.

The email we received said:

I have to say we were rather disappointed that you didn't try and contact us prior to writing the piece as when we read your article we have noticed it contains many inaccuracies.

We can hopefully address your 'concerns about the Vladuz problem' with the facts below. Once you've had a look at these, it would be great if we can chat about whether you will amend your current article.

- Some messages were published on a community board on the (Germany) web site by a person who gained access to a small number of employee email accounts.

- Our corporate email system operates on an entirely separate database and server system than those that store customer information.

- At no point did he have access to our corporate networks, tools, financial databases, or desktops, and at no point was any user information exposed.

There is no way of gaining access to our internal networks without a securid token issued by IT.

- By policy, our Customer Support Reps cannot store or include any personal data of any user in their email account.

- We take these incidents very seriously, and we are working closely with US and International authorities to investigate it further.

We responded with:

Are you just a PR person or do you actually understand how ebaY works? I have been intimately acquainted with the ebaY system since 1997 and been writing about it since 1999. How long have you been with them?

Since ebaY usually refuses to talk to me, I rarely contact them in the first place. On the very rare occasions I have talked to someone at ebaY on the record, all I have gotten is information that is less than the truth, definitely less than the whole truth, and usually just corprospeak babble. ebaY lies so frequently, it is hard to tell the rare time they might actually be speaking the truth.

This is simple – give me a realistic explanation of how the Chinese hackers have unlimited access to US ebaY accounts so that they can cherry pick the ones they want, in alphabetical order, with specific profiles, without the need for passwords, with the ability to redirect PayPal payments to themselves, with the ability to change information within actively running legitimate listings, and I MIGHT believe what you have to say about there being no access to your corporate networks, tools, financial database or desktops.

How much of this information is available because of the tools Vladuz is selling, remains to be seen, but the research I have done does point to Chinese hackers being aware of the Vladuz tools. One could theorize that they have used his tools and improved on them, so that they now have their unlimited access to ebaY user accounts.

Now admittedly, this is not exactly friendly or diplomatic, but it was bluntly honest, our normal mode of communication.

ebaY's Public Relations response was:

I must say that I was quite surprised by your response to us. As a new member to the eBay PR team, I was in good faith trying to reach out and build a new relationship with you, because we as a team were hoping to engage with you in the same manner we do with all other journalists and bloggers. We wanted to create a successful working relationship based on honesty, trust and mutual respect. But, it's obvious from the tone of your email below that you do not wish to start a productive and positive working relationship with us, which is a shame.

I have already provided you with the facts for the story you have already published. As I mentioned before, we would expect you to amend your story to reflect the accurate facts, however, I shall leave that to your own judgment about what is most valuable for your readers to know.

Given your apparent disinterest in helping your readers by developing a productive relationship with us that is based on the qualities we value, we have decided it would not benefit any of us to continue the effort with future responses to any of your inquiries.

We tried again and responded with:

In the past I have tried friendly discourse with ebaY, and have received no valid answers to my questions. In the past I have been aggressive and have received no valid answers to my questions. My approach has made no difference in getting valid answers out of ebaY. There is also a history of ebaY acting in a bad faith way against me – so there is a good reason why my attitude is not one based on mutual respect.

I would be happy to open a new channel and start fresh with you, if you would give me valid answers to my valid questions.

In my email to Rob I did not ask about Vladuz hijacking pink accounts to play games on the German boards. This is a non-issue as far as I am concerned, except that it demonstrates additional vulnerabilities. What I did ask about was the FACT that Chinese hackers have unlimited access to US ebaY accounts so that they can cherry pick the ones they want, in alphabetical order, with specific profiles, without the need for passwords, with the ability to redirect PayPal payments to themselves, and with the ability to change information within actively running legitimate listings.

This is happening every day and I have records of dozens of screenshots of this activity on ebaY. Can you please address this very important issue?

At present, all the facts I have do not in any way agree with the things you say are facts. The evidence is to the contrary. There is not evidence, for instance, that even though ebaY might end listings on these hijacked accounts, they have any way to prevent the items from being listed again, or can in any way limit the 1 to 2 million or so listings a day being posted by these Chinese hijackers.

It would be wonderful if ebaY were to turn over a new leaf and develop a relationship with their community that was based on honesty, truth and mutual respect. As the person who has been writing about ebaY the longest, with a firmly established position in the industry as being forthright, trustworthy, and ethical, if you could actually develop a rapport with me, where honesty and openness ruled, it would be a great accomplishment indeed. This would reflect well on you, and on ebaY, and I challenge you to change the current climate between TAG and ebaY, and in turn with the entire industry.

Needless to say, the ebaY PR wonk did not respond. We were amused by the phrase that said, " I have already provided you with the facts for the story you have already published. As I mentioned before, we would expect you to amend your story to reflect the accurate facts"

Of course ebaY did not in any way discuss the issue of the nearly 2 million listings daily on hijacked accounts. The listings that are relisted as fast as ebaY can remove them - sometimes 3 or 4 times a day. This image is a pictorial view of what is happening on ebaY every day.

They did not discuss the ongoing fake second chance offers that continue to be sent to bidders on high priced items, despite ebaY's now hiding the bidder IDs. ebaY did not discuss that Vladuz has posted on several ebaY chat boards using ebaY employee IDs or creating his/her own ebaY employee IDs, such as his latest posting on the ebaY DE board

In fact all ebaY has done is deny and lie.

They say Vladuz, "...gained access to a small number of employee email accounts" when it is obvious that Vladuz can access whatever ebaY employee accounts, whenever he/she wants, on whichever ebaY site he/she chooses. They say, " one can access an ebaY account without a password" though we have proved this is not true. ebaY says, "...the hijacked accounts are due to people responding to phishing email", though we have proved this also is not always true, and can not be true where hundreds of accounts are cherry picked, in alphabetical order, and new accounts are used day after day. ebaY denies that anyone has access to their back end, and refuses to acknowledge or provide a single answer as to how the counterfeiters are using these hundreds of hand picked hijacked accounts to sell millions of counterfeit items, and get paid via PayPal through ebaY. TAG is convinced that if ebaY could fix this open back end problem, they would have already done so. The only logical conclusion is that they can't.

Surely it is time for ebaY to come clean on this, and reassure those who use ebaY that they know about the problems and are working on fixing them. They should set up a special team to monitor their own site to prevent these listings from even indexing on the site. As we said in our final email to that ebaY PR person, " It would be wonderful if ebaY were to turn over a new leaf and develop a relationship with their community that was based on honesty, truth and mutual respect."

Don't worry; we are not holding our breath whilst waiting for this change.

Friday, February 02, 2007

The Scammers Are Now In Control of ebaY

1 Feb 2007
Also see
ebay Insider Hijack Scam? and ebay's Back Door Wide Open & Letting Scammers In
ebaY Motors Hijacked

Those of us who have watched ebaY from a users perspective, for many years, have seen an every increasing ability for scammers to manipulate the site. In the last year, this access has gone from being outside manipulation of flaws and stolen personal information, to complete inside control.

These are the facts:

Every day thousands of listings from China selling brand name counterfeit goods are listed using hijacked accounts. These are usually 1 day listings, the accounts used fit a standard profile and are often accessed in alphabetical order. These listings are for brand name clothing, DVDs, sunglasses, and expand into other categories regularly. The scammer does not need a password to access these accounts.

ebaY Motors has ever increasing fraudulent listings. There are redirects from ebaY search results, manipulation of information in valid running listings, and ever more sophisticated cons, in addition to the all American fraud, found in some used car salesmen, that has been a caricature in our society since the advent of the automobile.

There is a brilliant hacker/codewriter who uses the moniker Vladuz, who makes ebaY his specialty. He has been writing ebaY hacks since 2003, as far as we can trace. This individual recently sent us a link to his latest hack, a tool that he posted on Firefox's plug ins. There have been several screen shots of ebaY's control utilities database posted on the net, on ebaY and off, all with a visible Vladuz watermark on the pages. Vladuz made the posts on ebaY, as far as TAG can tell.

ebaY knows about this problem, and has been removing any threads that appear on their site about it. They just removed a long running thread on ebaY DE, one on which Vladuz has posted on under various guises, including hacked ebaY pink accounts. At the end of December, TAG contacted ebaY through their Trust and Safety live support, and specifically told them what was going on. ebaY cannot say they did not know.

Here is what we have theorized based on all we have seen, and the facts we have:

Vladuz appears to have written a program that gives the scammers complete access to what we are calling ebaY's back end. This back end is the control utilities database used by ebaY, to track everything on their site, that contains all information about ebaY employees and its users. The following images are samples of what Vladuz has made available to the scammer marketplace.

The scammers who have purchased, or otherwise acquired the Vladuz access programs, appear to be able to manipulate the account information of every registered user ID on ebaY. They can monitor in real time what is happening in an account, read email sent through ebaY's system and respond to it through ebaY's system, change any parameter in the user ID account, so, for example, they can receive the PayPal payments the legitimate account holder would have otherwise received. They can add or remove information on a currently running listing without the legitimate account holder knowing it, and conduct business as they please; using all the hijacked accounts they please. No password access is needed. In the article ebay Insider Hijack Scam? we theorized that this was being done by an ebaY insider, as that was the only thing that could explain what we were observing. What we did not realize, and what even TAG found hard to believe, was that the scammers now had insider access, not by working for ebaY, but by using the program built by Vladuz.