Wednesday, May 28, 2014

Dear Ebay: I told you so!

“Sir,” said the Ebay Support person on the phone, “We’re Ebay, and we’re pretty sure that no one can hack into our system.”

A few months ago, she was responding to my alarmed phone call, as I was pretty sure that someone was hacking into Ebay’s software and system to manipulate the online auction giant and further “hide” already hidden fake auctions designed as a smart phishing effort via Ebay’s apparent ironclad software.

As you may have read recently, a few days ago Ebay requested that all of its users change their passwords. This was as a result of a data breach in which “hackers figured out eBay employee credentials, which helped them gain access to the eBay database.”

Ebays admits now that “email addresses, phone numbers and other details were hacked.” 

But I have evidence from the recent past that hackers also potentially may have manipulated the Ebay auction software to use the auction site as a phishing vehicle.

This is how it all started, and here submitted for your consideration:

On January 27, 2014, I was sitting in Glen Echo while my son was in his music class. I was bored and surfing the net and logged onto Ebay. To my surprise I noticed almost a dozen messages in my Ebay inbox. I write “to my surprise,” because whenever I get an Ebay-generated message (either from Ebay or from an Ebay user sending the email from their Ebay account) I have a rule that automatically forwards it to my personal email account.

That’s exhibit (a) – There were multiple messages from Ebay users to my account, all dealing with the same 3-4 Ebay auctions and messages that were never forwarded to me. If I hadn’t logged onto my Ebay account, I would not have seen them... until it was too late! By the way, all auctions were about to end - they were seven day auctions and all were in day 5 or 6.

All the messages referred to the same assorted “auctions” that had been posted as if coming from my account. I have the word "auctions" in quotes because none of the auctions were mine, and also because all of them were cleverly designed to phish people out of their money. I quickly responded to all the emails warning the users that the auctions were a scam and had nothing to do with me.

The fake auctions had been created without my knowledge and had also somehow circumvented the Ebay notification system that sent an email to my account each time that a real auction lot is created under my account.

That’s exhibit (b) – Someone was able to create an Ebay listing under my account and at the same time prevented the Ebay software from notifying me that a new lot had been created.

The fake listings offered tech goods at ridiculous prices, such as Apple MacBook Pro Retina 15.4" GeForce, or a new Samsung 65" 3D Smart TV.

The hacker had cleverly inserted his email address ( into the image of the item being offered, highlighted it in yellow, and requested that interested bidders contact him directly prior to bidding. The incoming emails that were in my Ebay inbox (but not being forwarded to my regular email) were from interested bidders wanting to know why they needed to contact the person offering the lots. From reading the threads it was easy to see why…

The phishing scam artist was asking interested parties to wire him money directly, instead of bidding through the Ebay system. When users balked at this, and instead bid the “normal” way via the Ebay lot, he was then able to generate a fake Ebay email from to every single bidder, announcing to the victim that they had won the auction and requesting payment. He also offered next day UPS shipping at no additional cost.

Pretty cool uh? Dude is able to ship a 65" flat screen TV via next day UPS at no additional cost!

I immediately reported the fake auctions to Ebay, and they immediately cancelled them. Subsequently, throughout all this process, I was reporting all of these issues to Ebay via email, and receiving canned email responses from them. I then tried several times to report the issue via telephone, but each time I was assured by the Ebay telephone operator that there was no way that what I was describing could actually have taken place. They told me to change my password (Nevermind that I use really hard passwords: 16-20 mixed characters, and change them several times a year), but refused the logic of the events, or could not explain the technical reasons why these lots had all been posted without generating emails to me, or how the emails to my Ebay account had not been forwarded to me, and even more important --- and the key evidence of hacking into Ebay’s software: why these listings were not visible as my listings in MyEbay!

Exhibit (c) – The hacker was able to create listings using my account and yet they were not listed in MyEbay as my listings.

Working with some of the Ebay users who were nearly scammed, I was also able to piece together the identity of the scammer.

Name: Victor Stan Cornel
Address : Al Solidarnisci Nr. 118/2 00-140 Warsaw Poland.
Bank Name : Millenium Bank
Bank Address : ul.Stanislawa Zaryna 2A 02-593 Warszawa Poland.
IBAN : PL 16 1160 2201 0000 0002 4729 3383

I passed all this information to Ebay, who ignored it… at least as far as I know, since I never received a response from them. I also contacted Millenium Bank in Poland and advised them of the issue. They promptly replied to me and passed that they were sending my email to the “right unit of our bank” and advised me to “report it to law enforcement bodies.” And thus I reported the whole event to Interpol, since this phishing mutant apparently lives (or at least has a bank account in Poland). I also tried a dozen ways to report to Google that a phishing scheme was being run from a Gmail account; not sure if I was successful.

Every single thing that I’ve written here has been exhaustively reported to Ebay. When the first telephone operator dismissed me, I called back, got a different operator and reported it all over again from scratch. When that also failed, I did it a third time.

After that I gave up.

And then a few days ago I read about the Ebay system breach. It apparently happened a while back, but Ebay just confirmed it.

Do you think these that two issues are related?