Scammers are impersonating eBay sellers in an attempt to hoodwink users of the online auction site into handing over payment for non-existent goods.
If the person who wins an auction on the site doesn't pay up, the second highest bidder of an auction may be offered the option to purchase goods at his offer price. These "second chance offers" are the focus of the fraudulent scams.
Steve Rawlinson, managing director of UK ISP ClaraNet, received a number of "second chance" offers for high value auction items he had bid on. At first he was pleased to receive the "offer" but on closer inspection realised the emails were bogus. He pulled out before sending any payment. "I had several which I realised were fraudulent without going through with a purchase. The eBay user name on the emails was not the name of original seller. That could be because a seller had more than one user name but the names in this case were in different parts of world," Rawlinson explained. "The sellers in the bogus email requested to correspond through third email address, which further aroused my suspicions." He tracked some of the bogus emails to a source IP address in Germany.
Although Rawlinson lost nothing through the attempted scam, a few less technically-savvy net users have lost out through the ruse. The scam - still rare, at least for now - is more sophisticated than typical phishing frauds because it is targeted and based on knowledge of a user's bidding history. "The seller will have no idea anything amiss is going on," Rawlinson added.
Knowledge of a user's bidding history is publicly available on eBay but how are fraudsters able to send email to the correct people? An eBay spokesman explained that it was possible to email someone through the site without knowing their private email address. This facility is used to allow bidders to pose questions about an auction items, for example. Trading using this facility is banned by eBay. Users can also opt-out of the contact facility that allows other members to send them email. The function also comes with various 'health warnings' about safe trading.
Nonetheless it seems that emails sent through this facility are good enough to be mistaken as genuine second chance offers. Rawlinson said that even though eBay systems may not be vulnerable its security policy about how emails can be sent through the site ought to be reviewed. ®
Related stories
Phishers suspected of eBay Germany domain hijack
eBay domain hijacker arrested
eBay denies South Africa 419 hacking report
Teenager gets three years for eBay scam
eBay scammer gets stung
UK banks launch anti-phishing website