Sam n Joe Sam n Joe Sam n Joe Sam n Joe
Sam n Joe Sam n Joe
Sam n Joe Sam n Joe Sam n Joe
Sam n Joe Sam n Joe
 
 

:|: Home :|: Other :|: eBay: My REALLY Bad Day
  eBay: My REALLY Bad Day

If you have arrived here through a link on eBay, thank you for caring about fighting fraud, protecting your privacy, and enhancing the overall well-being of the eBay community's security. I'm glad you're here. I hope that you will learn a few things that can help you protect yourself and, perhaps, add more protection to the overall eBay community.

This link 1  will take you back to eBay's site.

SCAM WARNING TO ALL EBAY USERS!!

or "A Story About How You Can Learn From My Mistake"

1
1 The (Almost Unnoticed) Beginning of the Scam
1 Who's Vulnerable? Everyone
1 The Day it All Broke Loose
1 The First Clue
1 Changing Your eBay eMail Address ... and What You'll See in Return
1 Checking Everything Else
1 Tracking and Tracing
1 The One That Slipped Through
1 Part Two -- or How the Never-Ending Story Continues (and Why Am I Suddenly Writing in German?)
1 How International Can This GET?
1 eBay's Response
1 Morals, Lessons and Take-Aways

Background

After a bit of soul searching, I have decided to use this page to share my recent experience on eBay. It is my hope that by sharing my experience, someone else might be spared all of the aggravation.

I assure you that I’m not a novice at eBay, computers or the Internet. I am even considered to be somewhat of a “techno-geek” (Web and Graphics Designer, Network Administration, software management/development, etc.). I have been a member of the eBay community since 1999. eBay has brought much joy and, yet, introduced a few bad experiences, as well. (Three to be exact, in all of my transactions.) I have met some of the kindest people through eBay -- people I never would have met without the Internet.

Now, however -- I have been force-fed a CONSIDERABLE AMOUNT of enlightening skepticism. Unfortunately, I'm going to have to hold on to that from now on. It's mine and it will stay mine.

I, like everyone else, have read about the scams circulating that target people using eBay, PayPal, and other highly-trafficked sites. I've read about the unfortunate stalkings that have occurred, the identity thefts. My feelings of sorrow ALWAYS went out to the victims of these crimes of fraud. It's stealing innocence and honesty. That's a horrible thing -- to take something from someone, blindly, never knowing or caring exactly HOW you are affecting them. In fact, these thieves never know ANYTHING about the victims, their lives, what they are going through on a human level -- ANYTHING. All that they care about are intimidation and their own concept of a get-rich-quick scheme ... at ANYONE else's expense.

In my opinion, it takes a hollow, empty person to blindly affect Internet Fraud on the unknowing and the unwilling. On those who are living and leading a straight and honest life. Those who are intent on adhering to "the rules," remaining mindful and concerned about fellow humans -- and their feelings and opinions.

eBay was originally created as a community of individuals who liked to provide a marketplace for those who were searching and those who were selling unique items. As of late, the innocence of the mission is beginning to tarnish -- at no fault of eBay's. It's the fault of those who make a living abusing for their own profit, at the cost of anything.

To my surprise, in spite of my computer and Internet savvy -- I was caught in a scam. If *I* can be caught, anyone can. Fortunately, however, I'm not an idiot. So far, I have managed to entirely thwart the illegal activities of the person who was intent on defrauding me. Read on.

   >>> top

The (Almost Unnoticed) Beginning of the Scam

On January 21, 2003, I was the receiver of a FRAUDULENT eMail that appeared to be from eBay (I am including the Internet Header info included below) stating "Your account has been inactive for a substantial period of time. Due to our scheduled maintenance we are reviewing the accounts. If you want to continue using our system please go to the URL below to confirm: (please use it exactly as is including all trailing fullstops)." A link was provided to complete the confirmation. (The link is no longer active -- they have been shut down by their ISP. Thanks go to another fellow eBay'er who knew about my situation. This quick thinking likely saved someone else from falling victim.)

I have taken off of work for a few weeks, and am remaining at home caring for a very ill relative who just had major surgery. The surgery was January 15. The eMail was January 21. I normally live with my computer attached as an appendage, but the care for my relative had made it so that I had not logged on to the computer/Internet in days. When I did, it was only to make sure I had no important messages.

I found a message "from eBay," (which of course, ultimately proved to be not from eBay at all).

So, I scowled and growled at the annoying/offending message, somewhat cursed eBay’s name and said, “What are they talking about? I haven’t been ‘inactive!’ It's only been a few months!!” Blah blah blah.

HEADER

Return-path: <www@host30.christianwebhost.com>
Received: from bright17. (bright17-qfe0.icomcast.net [172.20.4.171])
by msgstore03.icomcast.net
(iPlanet Messaging Server 5.2 HotFix 1.07 (built Nov 25 2002))
with ESMTP id <0H9300E7RBJ0KP@msgstore03.icomcast.net> for
[my email]@ims-ms-daemon; Tue, 21 Jan 2003 19:47:24 -0500 (EST)
Received: from mtain03 (bright-LB.icomcast.net [172.20.3.155])
by bright17. (8.11.6/8.11.6) with ESMTP id h0M0lMY07669 for
<@msgstore03.icomcast.net:[my email]@comcast.net>; Tue,
21 Jan 2003 19:47:23 -0500 (EST)
Received: from host30.christianwebhost.com
(host30.christianwebhost.com [209.239.41.120])
by mtain03.icomcast.net (iPlanet Messaging Server 5.2 HotFix 1.07 (built Nov
25 2002)) with ESMTP id <0H93000QMBITJ3@mtain03.icomcast.net> for
[my email]@comcast.net (ORCPT [my email]@comcast.net); Tue,
21 Jan 2003 19:47:17 -0500 (EST)
Received: (from www@localhost) by host30.christianwebhost.com (8.11.6/8.11.6)
id h0M0lHW12955; Tue, 21 Jan 2003 19:47:17 -0500
Date: Tue, 21 Jan 2003 19:47:17 -0500
From: aw-confirm@ebay.com
Subject: Please confirm your FREE membership
To: [my email]@comcast.net
Message-id: <200301220047.h0M0lHW12955@host30.christianwebhost.com>
Original-recipient: rfc822;[my email]@comcast.net
BODY

Dear eBay member [NOTICE THE GENERIC ‘eBay Member’],

Your account has been inactive for a substantial period of time.

Due to our scheduled maintenance we are reviewing the accounts. If you want to continue using our system please go to the URL below to confirm: (please use it exactly as is including all trailing fullstops)

http://cgi3.ebay.com@64.176.128.170/eBayISAPI.dll?&MfcISAPICommand=EnterConfirm&
UsingSSL=0&pUserId=&ru=445&ap=0&dz=1
[this link is no longer active -- they have been shut down by their ISP. Thanks go to another fellow eBay'er who knew about my situation. This quick thinking likely saved someone else from falling victim.]

Thank you very much for your cooperation!

eBay Customer Support

Remember: eBay will not ask you for sensitive personal information (such as your password, credit card and bank account numbers, social security number, etc.) in an email.

Copyright 1995 - 2002 eBay Inc. All rights reserved. Designated trademarks and brands are the property of their respective owners.


1

Screenshot of Fraud Page
Looks Legitimate ... Don't you Agree? Read On ...

Upon clicking on the link, I was taken to a page that APPEARED to be eBay -- included eBay Logos, links, search, etc. So, I completed the form, and hit the "continue" (submit) button. I did not notice that the link had redirected me to a fraudulent site. I was exhausted and worried -- my life was upside down due to my family member's illness.

   >>> top

Everyone is Vulnerable

What I’m trying to say is that you don’t have to be stupid, an idiot, gullible, foolish, or ignorant to ‘fall for’ and reply to these messages -– and or to follow its directive in confirming the the requested information. It can simply be that someone is highly distracted by life’s events. (In my case, I supplied only eBay UserID and password -- no credit card info, but even that little bit of information was enough to cause a HUGE problem).

   >>> top

The Day It All Broke Loose

I truly never would have given it a second thought (in fact, I hadn’t), if January 27, 2003 hadn’t proven to be one of the most interesting eMail days I’ve ever had.

1

When I log on to my computer, a program -- SpamKiller -- starts that accesses all of my eMail accounts, checks for new messages, screens all received messages, and filters out any that are identified as SPAM. The rules of defining the SPAM can be created manually by the user and/or by subscribing to and checking for regular updates from the software seller (it used to be a private company; the software was sold to McAfee recently). The program additionally provides Symantec's Norton AntiVirus with the opportunity to scan the eMails for viruses -- before they are ever downloaded to your eMail client (your eMail box).

11

On January 27, 2003, my eBay password and ID were effectively "hijacked" for 39 minutes. The person(s) who stole the information were able to post ONE fraudulent auction -- THREE MINUTES BEFORE I CHANGED MY PASSWORD. They attempted to steal my identity and were responsible for my receiving over 3,000 spam emails. This onslaught of eMail was directed at my account in an attempt to keep me from noticing that I had received a note from eBay -- confirming that "I" had accessed my eBay account and that my eMail address had been changed.

THAT was the cause of the "39-minute delay" in changing my password. Because it took so long to download the messages (and I have a broadband connection), it prevented me from seeing the TWO messages that I received from eBay -- that informed me of a submission of a change of address.

   >>> top

The First Clue

The first clue that something was dramatically wrong were the two eMail messages that I received from "real" eBay:

Dear [eBay ID – USING REAL ID],

Thank you for submitting your change of e-mail address request. Instructions on completing the change have been sent to your new email address. Once the process is completed, your eBay-related email will no longer be routed to this email address.

Change of E-mail address request was made from:
IP Address: 200.142.239.xx [LAST TWO DIGITS REMOVED FROM THIS POSTING]
ISP Host: 200.142.239.xx [LAST TWO DIGITS REMOVED FROM THIS POSTING]

If you or anyone with authorized access to your account did not make this change, please go to http://pages.ebay.com/help/basics/select-RS.html and submit an email to Customer Support.

Thank you for using eBay!
http://www.ebay.com

   >>> top

Changing your eBay eMail Address and What You'll See in Return

When I discovered the above notification from eBay -- FINALLY! Something legitimate! -- I immediately logged on to eBay, accessed my account, and changed my password. A copy of the official confirmation that I received is below.

Dear [eBay ID – USING REAL ID],

PLEASE READ THIS MESSAGE OR YOUR E-MAIL CHANGE WILL NOT BE ACTIVATED!

YOU MUST ENTER THE CONFIRMATION CODE CONTAINED IN THIS MESSAGE IN OUR CONFIRMATION FORM IN ORDER TO ACTIVATE YOUR CHANGE OF E-MAIL.

Please access the following form to confirm your change of e-mail:

[LINK / URL WAS PROVIDED -- BUT IS OMITTED HERE]
You can also access this from our Registered User Services menu.

You will be asked for the following information, which you must type EXACTLY as it appears below:

User Id: [EBAY USERID]
New E-mail address: [ACTUAL eMAIL ADDRESS]
Confirmation code: [OMITTED FROM POSTING]

Change of E-mail address request was made from:
IP Address: [ACTUAL IP OMITTED]
ISP Host: [ACTUAL IP PREFIX OMITTED].comcast.net

A notification of this change was sent to your previous e-mail address for your safety.

Thank you for using eBay!
http://www.ebay.com


So see, WHEN SUBMITTING AN EMAIL CHANGE REQUEST TO eBAY, NOTIFICATIONS ARE SENT FROM eBAY. However, here's a note worthy of CAREFUL study:

  • They send one -- an "alert" message -- to the "OLD" eMail address informing that someone at IP Address XXXX has changed your eMail (saying "Thank you for submitting your change of e-mail address request. Instructions on completing the change have been sent to your new email address. Once the process is completed, your eBay-related email will no longer be routed to this email address."); and
  • Another eMail is sent directly to the "NEW" eMail address that was submitted; WITH THOSE VERY IMPORTANT "SPECIFIC INSTRUCTIONS."

In other words, I could be out shopping, not at home, not at my computer, doing nothing with my eBay account, and someone who happens to break into my account can submit a change, access the confirmation instructions, confirm/complete the change ... access my account and personal information and history ... and I would be none the wiser.

Additionally -- if *I* had not succeeded in confirming the eMail address change prior to the THIEF confirming the FRAUDULENT change, I would have been unable to access my own account.

But, you know, they DID care enough to actually DELETE my entire "ABOUT ME" page. What IDIOTS.
Fortunately, I maintain quadruple backups of my files.

By MY assessment, this should encourage eBay to implement some type of verification for account changes. Something should be done to more thoroughly protect the legitimate user. Receiving the instructional eMail at the "NEW" eMail doesn’t help much ... if you really aren’t the one initiating the change. And I seriously doubt that everyone remains logged on to their computers 24 hours a day to receive the "alert" messages.

   >>> top

Checking Everything Else

Then I proceeded to check my eBay account activity – including online activities with eBay connected credit cards, invoice activity, eBay fees, etc. Nothing. Then I logged on to my credit card's online secure site, to verify that it had not been compromised; logged on to my other online payment accounts, verified them, as well.

Strong moral here: amazingly enough, I had set up every account with different logons and passwords. I feel VERY fortunate -- using non-identical logins and passwords must have really frustrated the thief, eh?

I then changed my “password hint” on eBay, receiving this eMail confirmation:

You have successfully changed your secret question and/or answer.

This is a courtesy notice. No response is needed.

If you or anyone with authorized access to your account did not make this change, please send an email to password@ebay.com.

The Change Password Hint request was made from:
IP Address: [ACTUAL IP OMITTED]
ISP Host: [ACTUAL IP PREFIX OMITTED].comcast.net

Thank you for using eBay!

http://www.ebay.com


   >>> top

Tracking and Tracing

Spending time on the most immediate problem -- having my eMail box inundated with 3,000+ SPAM eMails -- succeeded in distracting me from the offense that was later proven to be the biggest issue: the eBay issue. After thinking that I'd accomplished all I needed by changing my eBay eMail address, password, my password hint, verifying the security of my credit cards and other online payment accounts ... I proceeded to hunt down the offending eMail SPAMMER.

I had the IP address that had initiated the fraudulent eMail change request (200.142.239.xx). I had the IP addresses and eMail address (buried in) the Internet Headers of the FIRST eMail (the one where I clicked on the link and provided my personal login and password.)

So, I ran traces on them. All of them. I'm in the Eastern part of the US. Found one in Brazil. Sao Paolo. One in New Jersey. Closer. One in Baltimore. Closer.

These traces provided me with names, phone numbers, eMail addresses and street addresses –- a m o n g   o t h e r   t h i n g s .

Brazil. Just South and East of Sao Paolo. This tracing program I use is a really cool program –- it helps you to track down whoever is bugging you. And this idiot was DEFINITELY bugging me by sending 3,000+ eMail messages.

I then spent an incredible amount of time online with my ISP so that I could alert THEM that their servers were being bombed and sucking up a huge amount of bandwidth. They were able to look at the Internet Headers (as I was) and determined that I had indeed already pulled all of the pertinent information from the files. They directed me to send “abuse” notifications to the Brazilian NIC organization, the one that oversees all Network Protocols in Brazil (and I also included as cc’s, two individuals from the company that had routed the Spam (200.142.239.xx).

Regarding Thousands of Spam eMail Messages Sent from 200.142.239.xx to My eMail Account

Date: January 27, 2003

Location: United States

Problem:

o I have received over 3,000 messages from a sender at ISP 200.142.239.xx in less than two hours. All messages have the same subject line and message text. The sender's email address changes, but all are numeric-based.

o Additionally, someone from IP address 200.142.239.xx tried to change my eBay account eMail address.

I have contacted the Technical Support Group of my ISP (Comcast) about this problem. As a first step, I am sending this email requesting your assistance.

Fortunately – I was only ½ hour behind the beginning of this attack, and was able to minimize the impact. However, I am beyond frustrated at having my account(s) hijacked and/or compromised and bombed with THOUSANDS of eMails.

We would really appreciate your cooperation and assistance. If you are unable to take care of this issue, I believe that Comcast intends to put a “block” on this IP address (200.142.239.xx). This will result in a complete black list of any emails originating from this IP address – for ALL Comcast users.

Comcast intends to follow up with me in two days to find out if I have received any resolution eMail back from you.

I am including in this eMail – both as COPIED TEXT AND PDF FILE ATTACHMENTS:

o ONE (1) copy of the ONE of the THOUSANDS of SPAM eMails that I have received; and

o The results of a TRACE that I personally ran on the IP address that attempted to access and change my eBay account.

I look forward to your timely attention to this situation.

-- [My Name Here!]


Clicking on the links below will allow you to view PDF versions of one of the 3,000+ SPAM eMail messages (including Internet Header information and the [modified] results of the trace. Any changes or modification were simply to remove some identifying information.

(To download Adobe Acrobat Reader -- free -- click here 1.)

My ISP, Comcast, was extraordinarily helpful -- and very concerned. They are following up with me in a few days to find out if I had any success in resolving the issue directly with the IP holder.

I have since received this response from the IP holder:

Hi,

Our customer that uses the IP 200.142.239.xx is with a bad configuration in his socks/proxy server, that someone is using to send the e-mails to your account and trying to access your account.

We asked our customer to fix his proxy configuration so no one from outside of his network can access it. We believe this will be solved soon. If the proxy from our customer generate any logging that can help us identify the real IP of the origin of the access I'll send you.

Regards,
[NAME OMITTED]
[eMail OMITTED]
[COMPANY OMITTED]
[PHONE OMITTED]


I have not heard back from them again, yet neither have I received anymore SPAM relay messages.

   >>> top

The One That Slipped Through

When I participate in any auction on eBay, I utilize a program called "Sold!" 1 created and distributed by Timbercreek Software. Fabulous auction management software.

So, I had this software running in the background of my system. Eventually -- very late in the night on January 27, 2003 -- I clicked on the icon in my task manager. It prompted me with something I'd never seen before. It wanted me to validate and key in a number shown on a GIF image before it would update the auctions I had in the program.

After keying in the number represented by the GIF, I watched the program. It scans my auctions -- both ones that I am watching for purposes of bidding, and then it scans my eBay ID's to see if I've posted any auctions. If I have, it adds them to the program so I can watch how the bidding progresses during the course of the auction.

Imagine my surprise (okay ... unbridled, uncontrolled, flaming fury and annoyance at this point) to find that I have posted the following:

Mamiya RZ67 camera with waist level finder and 120 and 220 backs with dark slides, all in mint condition. Mamiya RB67 camera with waist level finder and 120 back with dark slide, all in excellent mechanical condition. The RB67 camera has leather peeling on the waist level finder and one side, but this is strictly cosmetic and does not affect its excellent picture quality. The RB 120 back includes a Mamiya “G” adapter for use on the RZ camera. Mamiya RB67 magnified chimney finder with working meter. This also fits the RZ camera. All lenses are RB lenses so that they may be used on either camera. Mamiya recommended adapter rings are included to give the RB lenses a “snug” fit on the RZ camera. All lenses have clean, clear glass with no scratches and are in excellent working condition. Included lenses are: Mamiya-Sekor C 50mm f/4.5; Mamiya-Sekor C 180mm f/4.5; Mamiya-Sekor (non-C) 90mm f/3.8; Rokunar 2X Auto Teleconverter. Misc items included: lens shade, rubber eye piece for chimney finder, two 77mm skylight filters, one 77mm graduated ND filter, plastic insert to cover electrical contacts on RZ camera when using RB chimney finder, front and rear lens caps, front and rear RZ camera body caps, aluminum case with padded interior, and 120 and 220 film-not expired. Finally, included is a Manfrotto/Bogen Model 3401 heavy duty tripod with Manfrotto model 3047 heavy duty quick release three-way pan/tilt head with extra quick release plate. This is a fabulous kit ready for use. I am selling only because I am coverting to digital.

Full prepayment is required within 3 business days. Payment can be made via bank wire to my account. I can not accept credit cards. This is a large and heavy shipment-thus the high shipping expense. I will ship via Fedex service anywhere in the Europe for 120 Euros. You will get the kit in 2-3 days directly to your door. Thank you for bidding.


Oh yeah, right. Right. Uh huh and You Betcha. Only a bank wire transfer to "my" account. Euros as payment. Oh, I think that I might have forgotten to mention that -- according to the auction posting -- "I" had apparently relocated, and apparently now lived in Riga, Latvia. And "I" am such a good person, "I" am selling this with a Buy-It-Now option of $2,700 Euros, even tho' I live in the US. Oh forgot. Since "I" now live in Latvia, maybe "I" can accept and use Euros. Then again, maybe not. 1

Editor's Note:

  • "I" (with quotation marks) indicates the idiot who stole my ID.
  • I, I, or I (bold, red, or just-plain-I) indicates ME. As in, THE REAL ME.

I have been selling things on eBay for a very long time. My reputation has always been a point of pride. I treat my customers well, I am always willing to accommodate specific needs and requests.

Suddenly, due to this fraud, "I" had into someone who has a narrow list of requirements that the bidder must fit into before they can bid. "I" am now disagreeable, untrusting and untrustworthy person. Now, "I" require payment within three business days AND will not accept credit cards, but hey the "lucky" winner of the auction gets to submit payment via a really (NOT!) inexpensive bank wire transfer! Fortunately, when I found the auction, no one had yet bid -- despite the phenomenal bargain. Oh, wait. I forgot. "I" -- no wait NOW that's a REAL I, not an "I" with quotes! --  I  have "no-negatives-PERFECT" feedback. Of course the poor bidder would trust "me."

Can you tell I'm getting angrier here???

   >>> top

Teil zwei -- oder, wie die nie Endgeschichte fortfuhr

     (Translation: Part Two -- or How the Never Ending Story Continues)

So, you are no doubt wondering how and why I switched to German. Hopefully, it's not been entirely boring so far, but HERE'S where it gets REALLY interesting.

No one had bid on the ONE posted auction before I found it. I'm thinking that the S-I-M-P-L-E thing (hadn't I learned by now?) would be to   a) log on to eBay, b) cancel the auction. So, I skip on over to eBay, and log in. I bring up the auction, try to cancel it.

1

Screenshot of eBay Germany's Home Page
No, I'm Not Kidding. Read On ...

It tells me that I had to go to the site where "I" (we're back to that!) originally entered the auction to be able to modify or cancel the posting. Huh? WHAT? I follow the link, and I end up at ... eBay Germany!!! OH GRAND!

So now, I get to have MORE fun. See, I hadn't gone through enough, so I guess it was okay.

Naw, truly the thrill of the hunt had my adrenaline going by now.

Seeking as the auction text was actually in ENGLISH, I have no doubt that this person did this to throw roadblocks in my way. Sorry, buddy, you messed with the wrong person on this one.

It took me about TEN minutes to navigate through the site, translate what I needed, and take it down, cancel the auction, erase the fraud ... and deny this idiot, jerk thief the chance of ripping anyone off while using my name. Oh, I'm sorry -- "It took me about TEN minutes to 'steuern Sie durch den Aufstellungsort, übersetzen Sie, was ich benötigte, und nehmen Sie es herunter, annullieren Sie die Auktion, löschen Sie den Betrug... und verweigern Sie diesen Idioten, Ruckdieb die Wahrscheinlichkeit von jedermann weg zerreißen beim Verwenden meines Namens.' "

Clicking on this link will cause you to leave
this site and take you to Altavista's web site

Pretty cool, eh?

Want to know how this was done? How DID I translate this so quickly and navigate my way through a site when I no previous lessons in the German language?

Altavista Babel Fish Translation Service 1    Yup. As in Altavista -- the search engine. This very specialized site -- available free of charge -- allows you translate words, sentences ... or entire web pages.

As a matter of fact, you can even add Babel Fish to your own web site. Altavista makes the code available to anyone. 1

Well, I got MY immediate problem solved. But I realize that the really frustrating part about this step of my process is that not everyone would have known to -- or thought of -- accessing a site like Altavista's Babel Fish in order to put an end to a nightmare. Sure, I could have sent an eMail to eBay ... but how quickly would they have gotten the eMail, how soon would they have shut down the fraudulent auction, how quickly could they have responded if I found myself dealing with an irate winning bidder who had just lost their $2,000+ dollars on an illegal -- most likely unfilled -- auction? This was a "3-day auction." Time was not a luxury I could fall back on.

   >>> top

How International Can This GET?

So we're really becoming world travelers now, aren't we? Let's see ... I've got Brazil, Germany, a few Caribbean Islands ... and Latvia. And New Jersey and Maryland, but, hey, they're not "International" to me. 1

What else can happen? Anyone want to offer any guesses? Time's up. Sorry ... I'm tired and I'm punchy.

To add more fun to my life, at 3:31am, I receive an eMail from "eBay United Kingdom Customer Support." To quote a line from one of my favorite movies, "Oh, this just keeps getting better."

I'm including the Internet Headers here (personal info again omitted). Yup.

HEADER

Return-path: <uksafeharbour@ebay.com>
Received: from bright15. (bright15-qfe0.icomcast.net [172.20.4.104])
by msgstore03.icomcast.net
(iPlanet Messaging Server 5.2 HotFix 1.09 (built Jan 7 2003))
with ESMTP id <0H9F00G4W0ZYQO@msgstore03.icomcast.net> for
[MY EMAIL]@ims-ms-daemon; Tue, 28 Jan 2003 03:31:11 -0500 (EST)
Received: from mtain04 (bright-LB.icomcast.net [172.20.3.155])
by bright15. (8.11.6/8.11.6) with ESMTP id h0S8V9b21660 for
<@msgstore03.icomcast.net:[MY EMAIL]@comcast.net>; Tue,
28 Jan 2003 03:31:09 -0500 (EST)
Received: from mx20.smf.ebay.com (mxsmfpool10.ebay.com [66.135.209.207])
by mtain04.icomcast.net
(iPlanet Messaging Server 5.2 HotFix 1.09 (built Jan 7 2003))
with ESMTP id <0H9F00D1G0ZN5F@mtain04.icomcast.net> for [MY EMAIL]@comcast.net
(ORCPT [MY EMAIL]@comcast.net); Tue, 28 Jan 2003 03:30:59 -0500 (EST)
Received: from miami.smf.ebay.com (miami.smf.ebay.com [66.135.215.166])
by mx20.smf.ebay.com (8.12.3/8.12.3) with ESMTP id h0S8Uw6T010124 for
<[MY EMAIL]@comcast.net>; Tue, 28 Jan 2003 00:30:58 -0800
Received: from rhv-kas-01.corp.ebay.com
(rhv-kas-01.corp.ebay.com [64.68.79.237])
by miami.smf.ebay.com (8.11.6+Sun/8.11.6) with SMTP id h0S8UwZ24756 for
<[MY EMAIL]@comcast.net>; Tue, 28 Jan 2003 00:30:58 -0800 (PST)
Date: Tue, 28 Jan 2003 00:30:57 -0800
From: eBay United Kingdom Customer Support <uksafeharbour@ebay.com>
Subject: eBay - Regarding your account (KMM66923165V42605L0KM)
To: [MY EMAIL]@comcast.net
Reply-to: eBay United Kingdom Customer Support <uksafeharbour@ebay.com>
Message-id: <200301280830.h0S8UwZ24756@miami.smf.ebay.com>
MIME-version: 1.0
X-Mailer: Kana 6.0
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: quoted-printable
Original-recipient: rfc822;[MY EMAIL]@comcast.net

BODY

Hello,

You may not have been aware, but your account had been temporarily compromised and used to list a few unauthorised auctions. You will not be held responsible for these auctions.

Additionally, the email address on your account was changed, which is why you did not receive an email pertaining to these listed auctions.

Please complete the following instructions to regain control of your account:

First, please change the password on your EMAIL account to verify that it is secure and cannot be accessed by anyone other than you.

Once you've changed your email and eBay passwords, please also change your password hint question here:

http://cgi3.ebay.com/aw-cgi/eBayISAPI.dll?ChangePasswordHint

Finally, please verify that the contact information we have on file for you is correct. If necessary, your contact information may be updated using the following URL:

http://pages.ebay.com/services/myebay/change-registration.html

All fees associated with these auctions will be credited to your account and should appear within 7 days. Concerning your credit card information, we assure you that this information is stored on a secure server and cannot be viewed by anyone.

Please keep in mind you may have some winning bidders contact you. Please briefly explain to them what occurred, and have them email us using the web form found here:

http://pages.ebay.com/help/basics/select-RS.html

We assure you that any negative feedback linked with these specific auctions will be removed upon your request.

Let me also suggest a few ways this take-over could have occurred:

First, there have recently been a number of emails sent to eBay members asking for User IDs and passwords. These unsolicited and spoofed messages appear to come from eBay Support, but in fact are not. eBay would never ask for sensitive information of this nature via email.

Second, if you use a fairly simple or easy-to-guess password, it's possible someone could have guessed it after repeated attempts. For this reason, it's important to use a password that uses a combination of letters and numbers making it very difficult to guess. The same applies for the password hint question. It's also important to use different passwords for the various online accounts you use (email, Billpoint, PayPal, etc).

Last, there are a number of computer viruses in circulation that log and record keystrokes. It's recommended that computer users keep their virus alert software up-to-date, and check their system often for problems. A firewall for high-speed internet users is also highly recommended.

Thank you for your patience and understanding regarding this matter.

Regards,

Jan Richter
eBay Customer Support
______________________________
eBay
Your Personal Trading Community (tm)

*******************************************
Try the new and improved Sell Your Item 2.0 and see how much easier it is to sell!

You can find the New Sell Your Item form at:

http://cgi5.ebay.com/aw-cgi/ebayISAPI.dll?SellYourItemSignIn
_____________________________________________

Important: eBay will not ask you for sensitive personal information (such as your password, credit card and bank account numbers, Social Security numbers, etc.) in an email. Learn more account protection tips at:

http://www.pages.ebay.com/help/account_protection.html
_____________________________________________

For our latest announcements, please check:

http://www2.ebay.com/aw/announce.shtml
_____________________________________________

In order to better serve you, we'd like to occasionally request feedback on our service. If you would rather not participate, please click on the link below and send us an email with the word ""REMOVE"" in the subject line. If that does not work, please send an email to the email address below. Your request will be processed within 5 days.

mail to: cssremove@ebay.com

***********************************


At this point, I gotta tell you, I'm beyond believing much of ANYTHING. I told you'd I'd acquired a heavy dose of skepticism.

I check all the message Internet Headers. Fine. I run traces on the IP's it passed through. Fine. Whatever. All of the links are legit.

It still prompted one seriously curious question to pop into my head: if they thought my eMail address had been changed ... how in the heck -- or WHY in the world -- did they send me this eMail message? To the same account that they were saying had been defrauded.

   >>> top

eBay's Response

Late in the evening, I did send a report to eBay reporting the original SPAM/SCAM eMail. To their credit, I also received a response -- approximately 30 hours after the report. Not too bad, really! I'm impressed! 1

Regardless, I'm entertaining the idea of calling them, because this has gotten WAY more complicated than any eMail can convey.

Hello,

Thank you for writing regarding the email you received that appeared to be from eBay.

First let me begin by telling you that this email was not sent by eBay nor endorsed by us in anyway. These emails are the result of a fraudulent entity who primarily targets members who are using their email address as their eBay User ID. Please let me assure you that eBay will NEVER ask for your private information, including passwords, in an email format. If we ever request information from you, we will always direct you back to the eBay site to enter this information. With very few exceptions, you can submit this through your "My eBay" pages.

If you have entered information on any website other than eBay, you should immediately take steps to protect your personal information. First, you should start by changing your eBay password and the password hint if you have one set up. If you find your eBay account password has been changed, you should contact us immediately by replying to this email.

Next, we recommend that you contact the applicable financial companies and even your local authorities with these details. You may also write back for a detailed list of agencies to help get you started in recovering your information. If you have set up a selling account on eBay, please be assured, if another person was to gain access to your eBay password, your credit card and bank information will remain safe on our site. Sensitive billing information cannot be accessed using your User ID and password. Information previously supplied may be updated but cannot be retrieved or viewed by the user.

Although we are unable to provide follow up information regarding the result of our investigation, we do take these offenses very seriously and will make sure that appropriate action is taken against those responsible. Let me assure you that these emails and associated websites are reported quickly and in turn sent to our Fraud Legal Team for an aggressive investigation. Often times we are able to contact the web site hosts and have the sites shut down before most members have a chance to even try to go there. This is not always the case, but we do work actively and aggressively to pursue these fraudulent entities. Please keep in mind that eBay is a public company and not associated with any legislative or police entities. We rely on the same agencies you do to pursue these fraudulent entities.

As mentioned above, currently we believe that these emails are being sent to members that are using or have used their email address as their eBay User ID. (This is how your email address was found). If your user ID is currently your email address you may change it by following the instructions below:

* Click on the site map link located at the top of any eBay page
* Under the 'Services' section heading, click on 'Change my User ID' and follow the instructions on that page

(Just so you know, if you change your user ID, your feedback profile will not change. It will follow you seamlessly to your new ID. However, you will have a set of "shades" next to your new ID to alert members to the change. )

If you have ever used your email address as your eBay User ID and you have received spam, then there is a good chance your email address has already been harvested. Simply by changing your User ID will not remove your email address from spam circulations. If this is the case, you may need to obtain a new email address altogether.

Even if you did not enter any information, you may want to check out some of these helpful fraud prevention and anti-Spam sites below:

http://spam.abuse.net

http://spamcop.net/

http://mail-abuse.org/

http://www.usdoj.gov/criminal/fraud/idtheft.html

If you should receive another email like this in future, please re-submit your concern through our web form using the link below:

http://pages.ebay.com/help/basics/select-RS.html

Again, thank you for your efforts to help keep eBay a safe place to trade. Please let me know if you will require additional information or assistance.

Regards,

Brianna
eBay SafeHarbor
Investigations Team
______________________________
eBay
Your Personal Trading Community (tm)

*******************************************

Important: eBay will not ask you for sensitive personal information (such as your password, credit card and bank account numbers, Social Security numbers, etc.) in an email. Learn more account protection tips at:

http://www.pages.ebay.com/help/account_protection.html
_____________________________________________

For our latest announcements, please check:

http://www2.ebay.com/aw/announce.shtml
_____________________________________________

In order to better serve you, we'd like to occasionally request feedback on our service. If you would rather not participate, please click on the link below and send us an email with the word "REMOVE" in the subject line. If that does not work, please send an email to the email address below. Your request will be processed within 5 days.

mailto:cssremove@ebay.com


   >>> top

Morals, Lessons and Take-Aways

Some of the most important things that I want to emphasize are:

  • When clicking on a provided URL/link – everything PRIOR to an “@” symbol is ignored. For example, in MY case, using the http://cgi3.ebay.com@64.176.128.170/eBayISAPI.dll?&... the http://cgi3.ebay.com@ was ignored, and I was redirected to a authentic looking fraudulent site that was actually identified by everything AFTER the @ symbol.
  • All eBay genuine links will begin with http://cgi.ebay.com/ in the browser location bar. For more info on the URL's used on eBay web pages (International sites may differ), please visit the eBay Account Security Page.
  • Passwords. Passwords. Passwords. Make sure that all of your logins and passwords at any online organization – Yahoo!, Microsoft, Amazon, PayPal, American Express, VISA/MC, eMail Accounts, and any-and-every-thing else – are DIFFERENT! While it’s obviously easier to have everything be the same … it makes it easier for the THIEF, as well. Don't enable them.
  • Only change or confirm your personal eBay information by directly logging on to www.ebay.com and accessing the account info through that route.
  • Check your eMail accounts as often as possible and be diligent about following up on suspicious activity or notes. Suspicious eMails should be forwarded to spam@ebay.com. Be sure to include the “Internet Header” info.
  • For more information on how to protect your eBay password and your account, click here.

I feel beyond grateful that I wasn't hit harder with this scam and I think (hope!) that I've managed to get my hands around this. It has taken almost two solid days to do so ... but it could have been so much worse. Fortunately it has not yet cost me either financially or by "identity theft” –- which by all assessments appears to have been the defrauding motive.

I truly hope that this has helped or provides some insight to something someone else might be going through.

   >>> top

 

If you'd care to contact me to ask any questions -- or even to share a story or a suggestion -- you can reach me at: sam@samnjoe.com. Or, if you'd choose, visit my guestbook page. I truly would be interested in hearing how this information has helped, or if you'd care to add your insight to it.

COPYRIGHT (C) 2002-2008 SAMnJOE. All rights Reserved.

Home Contact Site Map Miscellaneous Racing Pets Home