Battling Fraud on Ebay: Part 1

Today, few things cost eBay users as much money and grief as account hijacking. At the vanguard of this threat is an attack known by the warm and fuzzy name of phishing &#151 e-mails sent by thieves posing as legitimate online businesses with the intent of hijacking passwords and other sensitive personal data.

The latest stats indicate that the phishing threat has reached epidemic proportions: In February 2005, there were no fewer than 13,141 unique phishing e-mails messages supported on 2,625 separate fraudulent Web sites, according to the Anti-Phishing Work Group, an industry association that includes eBay and other major online targets. Symantec, the producers of Norton Anti-Virus, claims intercepted phishing attempts grew 300 percent since June, 2004. EBay’s size makes it one of the five most-targeted sites on the Internet.

E-mail phishing attempts are not the only threat facing eBay users. Phony escrow services, Wi-Fi network invasions and assaults on eBay’s mammoth online payment service, Paypal, makes eBay country a virtual minefield.

As an eBay seller for the past six years, I have witnessed a wary reaction among the site’s buyers as more and more users get caught in the hijackers’ snares. Accounts from other eBay vendors indicate the same, as well as a decline in auction traffic and buy-through prices. The antidote is awareness of each manifestation of the threat, which we will address here in Part I of this report.

A Four-legged Monster: eBay E-mails

The early attacks raised nothing but red flags for most eBayers: e-mails, initiated overseas in fractured English, riddled with spelling and syntax errors and washed-out looking eBay logos &#151 if any appeared at all. The recipients were warned, “if you do not update your account information within the next 48 hours your eBay account will be closed.” A hyperlink appeared at the bottom directing the prey to a Web site demanding passwords and other eBay account data, often including credit card and other personal information.

While these early, crude attempts at account hijacking did not fool most eBay users, they were successful enough to encourage the thieves to clean up and refine their scams. The spelling and sentence structure improved, copyright statements were added to the e-mails, and the eBay logos appeared realistic &#151 giving momentary pause even to savvy eBay veterans.

Then Came Paypal

Once eBay bought the enormous online payment service Paypal in October, 2002, the phishing attempts expanded to Paypal users, hijacking and cleaning out seller’s Paypal and linked bank accounts. The scam begins with warning e-mails similar to the eBay phishing attempts. The thieves tend to target sellers with good feedback ratings whom buyers prefer, and to vendors who deal in high-ticket, high-demand items, such as electronics, jewelry, cars, coins and other expensive, popular items. Using photos from the victims closed auctions, the thief resells the items to unsuspecting buyers (or under bidders via a “second chance offer”) and often, adding insult to injury, use the victim’s Paypal account to pay for listing fees and photos.

An offshoot money-laundering scam involves e-mails to Paypal users offering a percentage of a sale if the overseas “seller” can use the victims Paypal account to transfer the funds. While this constitutes money laundering and is patently illegal, the 10-to-25 percent cut for the use of the account has enticed many Paypal users into participating into a crime that usually leaves them with an empty account.

The Big Enchilada: Phony Escrow Services

Frequently, the most costly eBay fraud involves phony escrow services. In a typical scam, the “seller” targets buyers on eBay motors, offering popular vehicles such as BMW’s Mini-Coopers, Camrys, Harley Davidsons etc., at far below market value. The victim e-mails a question to the thief who replies with a form e-mail (rarely using the recipients name,) suggesting an escrow service he’s used “many times before,” and offering extravagant perks such as free transcontinental vehicle shipping, which usually costs $900 or more.

The e-mails contain logos of legitimate escrow services and copyrights dating from 1999 or 2000, fostering the impression they have been in business for a while. The payment options include Western Union cash transfers, direct electronic transfers or other dubious online payment methods. The thief sets up an anonymous Yahoo e-mail box, uses a throw-away cell phone for a phone number, and vanishes with the victims money.

The Emerging Wi-Fi Threat

The spread of wireless data technology known as Wi-Fi, is rapidly altering the way people get online. Using base stations, or routers, you can link several computers to a wireless high-speed Internet connection that lets you move around with laptops and other mobile devices, as well as to connect your computers to printers and other devices.

Virtually nonexistent in 2000, Wi-Fi base stations are now in 10 million American homes, according to ABI, a technology research firm. Further, base stations can be found in many public places and retail businesses such as hotels and coffee shops, as well as college campuses and towns that are blanketed with wireless zones or grids.

Hard on the heels of this explosive growth come the thieves. Recently, the
Secret Service office in Newark, New Jersey completed an investigation that lead to the arrest of 30 international data thieves. Of the 30, half regularly used the open Wi-Fi connections of unsuspecting neighbors.

Typically, the range of a Wi-Fi connection signal is 200 feet. However, newer amplifiers and antennas extend the hijacker’s reach up to a quarter mile. While some public locations charge a fee or force people to register, thus making them potentially traceable, others leave their networks wide open. The result is that the thieves can scour a victim’s computer or “sniff” a network for passwords and other sensitive data, using it to empty accounts, hold false auctions and run scams across the Internet.

Wi-Fi routers include built-in preventive measures that secure the systems from hijackers, but most home users and many public places do not bother to use them.

Collectively, these four hijacker attack modes constitute a larcenous cottage industry that has launched many eBayer’s into a world of pain, and which now threatens the reputation and continued success of the online auction giant.

Vulnerability in a Virtual World

Suspensions, payment problems, disputes between users, fraud and account hijackings on eBay must all be resolved via e-mail. In fact, other than Gold-level Power Sellers and up, it is nearly impossible to resolve an issue on eBay other than by e-mail. eBay does not publish its tech support phone number. (On a recent call, the agent asked how I acquired the number.) Those Power Sellers averaging $10,000 a month or more in sales for three consecutive months are the only ones rewarded with an account agent with a phone number.

Regardless, phone contact with an eBay representative inevitably leads to instructions on how to resolve the issue via an e-mail link on the site. “eBay is purely virtual. They live and die by e-mail,” says David Jevans, chairman of the Anti-Phishing Working Group.

Accounting for 25 percent of all online sales, eBay’s huge numbers work against the company and in favor of the phishers. With millions of active eBay and Paypal users, the phishers can send out endless numbers of blind e-mails and be sure of reaching many potential victims.

“Tens of millions of people use eBay and Paypal,” says Jevans, ” if you send out a billion e-mails you only need one in 10,000 to fall for it.”

In turn, the proliferation of fraud e-mails has interfered with legitimate eBay and Paypal business, as legitimate e-mail is caught and eliminated along with fraudulent variety by junk mail filtering systems.

Given its 135 million customers worldwide, e-mail communication is perhaps the only way eBay can function efficiently. Using technology supplied by WholeSecurity, eBay has recently introduced several measures to protect its customers, identify fraudulent Web sites and counter the filtering problem. But even here, the devil’s in the details.

The First Line of Defense: eBay Security

Several years ago, when the eBay phishing e-mails began proliferating, eBay sent out warning e-mails to all its customers warning that the company never asks for sensitive information via e-mail. The company encouraged customers who received e-mails they suspected were fraudulent to forward the e-mail to This generated a canned response repeating the advisory that eBay would never ask for sensitive account information via e-mail, and that the forwarded e-mail was likely a scam that would be investigated.

The forwarding system is still in effect on eBay and still generates the same precautionary, generic response. But eBay seldom sends the original warning e-mail to its customers leaving newer eBay members vulnerable.

eBay now offers customers who use Windows-based computers a free toolbar designed to detect and alert the owner when he clicks on a fraudulent Web site. Further, eBay moved to counter the problem of legitimate eBay e-mail being blocked by spam filtering software. In January 2005, eBay introduced a Web mail service called “My Messages.” In its current, abbreviated form, it is basically a way to get around the problem of spam filters blocking the company’s legitimate messages to its customers by duplicating the messages on the recipients’ “My eBay” page that can be accessed after logging on to the site.

The problem with both of these measures is that few people use them. J. Peter Selda, chief executive of WholeSecurity, who produced the fraud-site detecting software for eBay, estimates that only 10 percent of eBayers have downloaded the software. The same or a lesser percentage of customers bother to go to the “My Messages” link on the “My eBay” page. The main reason is that eBay has been consistently reluctant to advertise its security measures.

Though retaining a security staff of 800, and considered even by its critics as one of the most advanced sites in combating online fraud, eBay nevertheless exacerbates its security problems by playing it low key.

Many, if not a majority of, eBay and Paypal customers do not know to forward spoof e-mails to eBay or Paypal because the sites infrequently e-mail warnings or instructions to their users. Links to its security pages are difficult to find. For instance, security information on the eBay home page is located at the bottom in fine print. In general, it’s difficult to access on the site. This, in the opinion of many people, is to avoid discouraging new customers and potential business.

As a result, burned eBayers have been spreading negative word of mouth.

eBay representatives argue that the site’s continued growth &#151 transactions rose 44 percent to $34.2 billion last year &#151 indicates that fraud has not had a deleterious effect on eBay business. But vendors tell a different story.

I recently had a buyer stop payment on a check less than a week after sending it because his spam filter had prevented him from receiving legitimate e-mails sent through eBay. (Also, he had been stiffed twice before.) Frequently, buyers send redundant e-mails for assurance that payments have been received and or goods shipped, and increasingly, an atmosphere of wariness on the part of buyers and sellers permeates the site.

Many vendors feel that the phishers strain people’s confidence in eBay and drives down auction prices. Joe Cortese, chairman of the Professional eBay Seller’s Alliance, has petitioned eBay to make site navigation easier and to eliminate the use of hyperlinks in their e-mails as a way to differentiate them from the fraudulent e-mails sent by hijackers. So far, eBay has kept its security features low key, and since most eBay e-mails are commercial pitches, it is doubtful that the company will ever forego using hyperlinks to bring people to the site.

Even with the advances in fraud-detecting software, eBay is up against a tiger in its battle against phishers. Chasing down the links can be a shovel-against-the-tide effort, as phishers use multiple IP addresses and domains. Scammers can easily register a new domain for under $10, and be online within 24 hours &#151 and disappear in 48 hours.

Still, there are many preventive measures &#151 requiring more common sense than technical savvy &#151 that can protect eBay and Paypal customers from virtually any hijacking attempt from any venue. We will discuss these in Part II of the report tomorrow.

Adapted from, part of’s Small Business Channel.

Do you have a comment or question about this article or other small business topics in general? Speak out in the Forums. Join the discussion today!

Must Read

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.