So this morning, my mailbox contains 56 “you’ve listed an auction” emails from eBay. Normally I just delete any email from eBay (or if I’m feeling pissy, report it), because it’s pretty much always phishing spam. But the volume of emails this morning made me suspicious, so I opened Firefox, typed in the eBay URL manually, and logged into my account. And the auctions were real.
I immediately changed my account password, then went and carefully read the help page on account hijacking, which basically says “report the incident, change your password, and cancel all the unauthorized auctions.” Cancelling the auctions was a pain in the ass, because you have to click through three screens of verification to end each individual auction (and I had 56 of them).
I was about to log onto PayPal to check for anything susicious (my PayPal account uses a different–and much more complex–password, but better safe than sorry) when I got suspicious. How would someone have gotten my eBay password? Lucky guess? It’s not at all an obvious password, though it is a password that I have used in the past. Still, just to be safe, I ran TCPView to check for backdoors, then I did a Rootkit scan and examined all my active processes and autoruns. Nothing suspicious, so it probably isn’t a keylogger. Besides, I haven’t logged onto eBay in ages.
So someone either guessed my password, or somehow hacked archived data on some site where I’ve used it in the past. Seems like a lot of work to list a bunch of faux auctions on someone’s account. I’m not sure I understand the point of this scam–is it just to fuck with me? I don’t see how the hacker could collect any money on those auctions (all the account info directs buyers to contact me). Thoughts?
Same thing happened to me a week or so ago – used the support chat link thingy, they cancelled the auctions for me after I confirmed that my password was changed on my email account. Had to call me on the phone to verify my identity, since I couldn’t remember the email address I first used when I signed up for the account.
The woman who helped me out was very friendly, at least :)
Oh, and I was selling in-dash CD/MP3/DVD players, or something. With everything priced in Euros.
When they cancelled 'em, they cancelled 'em HARD, no way to link to 'em or anything – was the full-on Ebay “this auction is toast” removal.
No idea how they got my password, either – same overall circumstances as Ben. There was a notify that they’d changed the email address, however. So, dunno.
My PayPal is clean, no other weirdness going on, no clue how they did what they did, no problems since, either.
“We prefer Paypa!”
So, will you be buying this knockoff handbag today with Paypa or plastic?
Man, those auctions don’t even look real. Sounds like some Asian hacker figured out a way to snag people’s passwords. Still, I’m unsure what the motive would be. Anyone who bought those bags would be paying into your Paypal account, not the hackers. Weird.
Yeah, they totally look fake. $40 shipping? On an item with a “Buy It Now” price of $50? I’ll take ten!
The only explanation I can think of is that they intended to change the account email address, and then maybe at that point they’d change the account password and billing info. I’m not sure how feasible all that is, or why they didn’t do it first (instead of starting out by listing a bunch of auctions, thus triggering a deluge of emails that called my attention to the hijacking). The auctions are all one-day listings, so it does look like they were trying to turn it all around very quickly.
I did email them via the proper form (marked “unauthorized account activity”). Changing your password requires that you respond to a security email that is sent to the address on file when you request the password change. Apparently, changing the email address requires no such check, though (which would seem to make the password check pointless, since it can be easily circumvented by changing the account email address).
This happened to me in reverse this week. I bid on a sewing machine that seemed like a good deal, then I realized there were five other auctions for the same item with the exact same description. Right down to the personal anecdote about how it had to be sold because the owner had “crossed over to quilting” and the exact number of stitches the machine had performed in its lifetime.
Further investigation revealed that every auction’s seller was selling hundreds of thousands of dollars worth of electronics equipment for one dollar bids, and all the sellers had one thing in common: None of them had ever sold anything on eBay before. Ever.
So I sent an email to eBay’s security team or whatever explaining the situation with some item numbers, and asked to have my bid cancelled since something was clearly fishy. The next morning, all the auctions were deleted and my bid was cancelled. Not sure what the deal is, but it seems fairly widespread.
Seems these guys are savvy enough to put HTML code into REAL auction listings on Ebay so that while you’re browsing, a click on a link that’s got this code embeded in it could get you to think you’re logging into Ebay when in fact you’re sending your account info to hackers. Looks like it’s a pretty widespread problem at the moment from Google searches I ran.
Looks like we’ll need to pay closer attention to the web address bar when using Ebay in the future.
I’m still not sure how they got my password, though. I browse eBay from time to time, but I only log on to watch or bid on auctions, and I haven’t done that since last year. I guess they could have grabbed my password back then, and have only just now gotten around to using it.
About 2 months ago I had my account hijacked as well…oddly I was told about it BY Ebay…I asked and they sent me a stock- you must have told someone or left your info up on a public comuter or some such bs…I suppose I could have clicked a link or something but I was definitely surprised.
I changed immediately and fortunately there were no ill effects.
So today, eBay finally got back to me about the fraudulent auctions that the hacker posted using my account. Their response? They suspended my account for twelve months. Apparently, I have been accused (and tried and found guilty) of “Trademark Misuse,” for posting all those shady handbag auctions. Auctions that I didn’t actually list, and which I reported to eBay security two days ago, and which I cancelled myself only minutes after they went online. Here’s the email:
“Unfortunate” indeed. What a bunch of fucking douchebags. I’m on the live chat right now, waiting for a representative to show up so that I can yell at them. Well… type angrily at them.
Update: the chat guy wasn’t very helpful. eBay wasn’t very good at keeping my account secure to begin with, but NOW they’re all suspicious, and don’t believe that I’m me, even though I verified all my personal info for them. Here’s what they said:
I find that I cannot verify you as the owner of the account in question in this chat. Prior to taking any additional action with your account, we will need to verify that you are the account owner. Please understand that these steps are necessary as a part of our effort to maintain the safety of our community.
We will accept a copy of your driver’s license or other government issued ID as verification of your identity. You will also need to provide a copy of a current utility bill or similar documentation if the identifying information you provide does not include the most recent contact information you added to your eBay account. If your eBay contact information is your work address, please send official documentation in order to validate it.
Please allow at least 48 to 72 hours for this information to be processed. Emailing us, or writing into chat, before that time will result in delays. Once the above information is provided, we will review your case and notify you of our decision in via email. If the information we are requesting is not submitted, your account will remain suspended. Please note that any documents submitted will be destroyed after your registration information has been verified.
Please fax this information to the following number: (801) 880-7137 ATTN: Fraud - Account Takeover
NOTE : Please include a valid telephone number and your eBay User ID within your fax.
If you are not able to fax this request to us, you may mail your information to:
When it happened to me, I used the live support chat thing; when I wasn’t able to give the obscure verification info they asked for online, they called me up on the phone, verified me, then went back to the online support chat and proceeded to fix everything.
Also – I didn’t cancel the auctions myself, they took care of that.
Everything got straightened out eventually, but it was a prolonged and intensely frustrating process. My word of warning: eBay has the worst customer service of any company with which I have ever done business. That’s not hyperbole. They really are that bad. There is no way to contact anyone by phone; you have to either submit complaints through their email form, or try to talk to someone on live support. That generally entails a 30+ minute wait followed by a brief text chat with someone who probably can’t do much to help you. That’s better than using the email form, which eBay will simply ignore. I submitted several of those things to them while trying to get my account straightened out, and they never responded to most of them, aside from the autoresponse email that says “We have received your support request and will respond in 36 hours.”
A capsule timeline of my experience:
8/3: Someone hijacks my account. I’m at the computer when it happens, see the deluge of account listing emails, and quickly take steps to secure my account and cancel the auctions. I submit an email through their form reporting the hijacking, to ask if there was anything else I should do. The autoresponse says that they will respond withion 36 hours.
8/5: I receive an email saying that my account has been suspended for listing phony designer handbags. I use live chat to try to sort it out, but the live chat guy insists that there’s nothing he can do to help me. He asks me to fax (fax?!) a copy of my ID to some fax number in CT.
8/8: I get a form email from eBay (probably in response to the email I submitted) saying that they have restored my account (I haven’t faxed anything yet), and credited me the listing fees. I make the mistake of not checking to see if they are telling the truth.
8/19: I get a billing statement from eBay for the listing fees that they never actually removed. I opt for the email form again, since the live chat was so thoroughly unhelpful the last time. I explain that these fees were supposed to have been cancelled, and cut and paste the text from the form email they sent me. After I submit the form, I go to my account and make sure that there is no current credit card info listed there, so they can’t try to just automatically charge the erroneous fees to my card (see? Now I’m getting smarter). Fortunately, I haven’t used eBay in a few years, and the credit card info they have is for an expired card.
8/26: No response yet to the form that I submitted, but I do get an email saying that my credit card was declined when they tried to charge it for the fees. The email asks me to update my account information with a current credit card. I make a point of not doing that. Since I’ve already submitted a complaint, I decide to just wait and see if they eventually respond.
9/8: They don’t. But they do eventually send me an email asking me to pay the fees again. The autoresponse that I got from the form that I submitted warned me that sending subsequent requests for assistance would merely delay any assistance that I might receive. I certain don’t want that, so I decide to wait and see what happens. It’s not like they can charge my expired card, so I figure that if they really want their fees, they will have send a real person to deal with me sooner or later.
9/11: Another email advising me to pay the fees. This one says that they will suspend my account if I don’t pay them. I submit another goddamn form.
9/12: ANother email advising me to pay my bill. I respond to this one, too. This time, I keep it simple:
9/15: I finally get an email saying that all the listings have been deleted from the system, quickly followed by one apologizing for the delays and assuring me that my account balance has been returned to zero. This time, I check to make sure they are telling the truth. Fortunately, they are.