EBay.com users are being peppered by e-mails saying there has been a security problem at the Web site, and requesting new account and password information. The problem: Some of the e-mails are legitimate, some are scams and it’s hard to tell the difference. And a recent programming glitch at eBay may actually have made life easier for the con artists. One week ago, the site accidentally revealed auction participants’ e-mail addresses for about a six-hour stretch — a gold mine for both spammers and scammers.
Scam artists have spent years fishing for passwords to accounts on everything from eBay to AOL by sending out e-mail to users, asking them to “update” their account information. The e-mail then contains a link to a Web site that’s designed to look legitimate, but is actually controlled by the hacker.
Many “fishers” say they can get a 1 or 2 percent response rate to such an e-mail, often stealing hundreds of account in a single flurry.
Such fishing expeditions for eBay account information have sharply risen in the last week to 10 days, says auction watchdog Rosaldina Baldwin of TheAuctionGuild.com.
“I’ve never seen so many reports from people,” she said. Another eBay user said he was receiving a “torrent” of scam mail recently.
Reports of the fake eBay e-mails have been streaming into MSNBC.com, too. To make matters worse, the scam artists are becoming far more professional in their work. Many of the e-mails include links that appear to be headed right for an eBay page. One e-mail included in its text the link http://www.ebay.com/verification/%?648882XXX.
But that link uses a programming trick to sendsusers to the Web site “www.ebay-verification.net,” a scam site that appears to be hosted in Korea. The Web page is a dead-on imitation of a real eBay Web site — except that it requests everything from credit card numbers to bank card PINs to mother’s maiden name.
The e-mail appears to come from a legitimate-looking address such as email@example.com.
Other legitimate-looking links being used to lure eBay users in the flurry are:
E-mails that invite users to type their PayPal e-mail address and password right into the body of the note. EBay just completed an aquisition of PayPal, and scam artists are trying to capitalize on confusion around the merger.
It’s not clear why there’s been an apparent surge of new scam e-mails, but Baldwin thinks it might be connected to a programming error which exposed eBay users’ e-mail addresses last week. From 2 a.m. to 8:30 a.m. on Nov. 13 , anyone — even unregistered users — could view the addresses of current high bidders and auction winners. Baldwin believes the uptick in scams started at about the same time as the exposure.
“Whether it’s directly linked (to the new scams), who knows, but somebody at eBay sure did provide spammers with a brand new fresh spam list,” she said.
EBay spokesperson Kevin Pursglove confirmed the glitch, but said he didn’t think it would have added much to the tools already used by scam artists.
“It’s hard to assume a direct cause and effect,” he said. “What we find out most of the time is that people perpetrating account takeovers (by sending out spam) are people who ... are buying massive e-mail lists and doing a shotgun approach,” he said.
Real warnings sents by eBay
Adding to the confusion for eBay users, the online auctioneer really is sending out legitimate e-mails advising people to click on a link and change their passwords.Three months ago, the firm instituted a policy of disabling accounts when it suspects suspicious activity. Account holders then receive an e-mail asking that they visit eBay’s site and change their password to reactivate their accounts.
“We have reason to believe your eBay account may have been compromised,” reads one version of an e-mail sent by eBay to an undisclosed number of customers. “To ensure your account is not accessed by someone other than you, we have changed the password on your account, and ask that you immediately follow these directions.”
Users are then pointed to a special Web page on eBay designed to allow users to change their passwords, or in some cases, they are asked to fax a copy of their driver’s license to the company.
The temporary suspension was alarming for one eBay customer who asked that his name be withheld.
“I am really scared as my userid and password are used in several online sites and transactions,” he said. “I am really worried up to what extent the accounts have been compromised.”
EBay would not say why it believes the recipient’s accounts had been compromised.
Capitalizing on confusion
One scam e-mail recipient suggested eBay’s notices have created an opportunity for criminals, who have jumped at the chance to create confusion and catch users with their defenses lowered.
“The news that eBay is sending out warning notices has scammers working overtime to capitalize on the news and to set up scam Web sites and harvest the eBay ID and passwords of those who fall for it,” he said.
The legitimate and scam e-mails appear so similar that in some cases it is impossible to tell them apart with a simple glance.
The tip-off only comes after the user clicks on the included link to a Web site. If the address atop the Web browser doesn’t match what’s in the e-mail, the site is certainly a fake.
E-mail-provided Web addresses that include Internet protocols, such as http://22.214.171.124/, are most certainly fakes, too.
EBay itself has a page of advice, on how to determine if a Web site is a fake.
But eBay users should be generally skeptical of any e-mail which invites them to visit a Web page and submit any personal information. The legitimate e-mail sent out by eBay asks only that users visit the eBay site and change their password — it doesn’t ask for any personal financial information.