Hot on the Web
Lost in Cyberspace
Online San Diego
Feature Articles
Book Reviews and Reading Diary
Music Reviews
Favorite quotates
Contact Me

Hot on the Web

eBay scam

This column originally ran in ComputorEdge on November 28, 2003
(Issue 2148, Look Ma, No Wires)

I should have known better.

Better than to fill out an HTML form contained in an e-mail, at least.

But it was early - hadn't had my coffee, was juggling the demands of feeding my kids breakfast, getting their backpacks together, packing their lunches, and finding my own homework for French class at the community college.

Dealing with e-mail at that moment might have been a bit much.

This very official-looking message from eBay was in my in-box; something about they'd tried to confirm one of my membership parameters and needed me to log in and double-check it. One of my credits cards had recently expired, and so I thought I needed to update that information.

And so handy; here was the familiar eBay log in right in the e-mail itself.

I typed in my eBay user name, my password and hit "Submit."

A dumb mistake

As soon as I did it, I realized that no form in an e-mail message can be secure. You can use HTML to make e-mail look like a Web page, but that doesn't make it a Web page.

So I looked at the source code of the e-mail message, and found that the "Submit" button was hooked up to a JavaScript command that sent my login name and password not to eBay (although another script actually directed my browser to open and take me to eBay to try to make me think I'd really done something).

When I did an reverse IP address lookup, it pointed me to a server in Florida. The company who owned that IP address (I used one of the many IP address reverse lookup tools – just search in Yahoo or Google to find one) is a reputable web hosting service; in fact, they host a domain I manage.

But the person who had bought the domain that this IP was assigned to, however – well, let's just say their reputation is somewhat in question.

Anyway, I got on the phone with the tech support folks at this hosting service, sent them a copy of the e-mail so they could confirm that the server my info had been sent to was indeed on their system, and then they referred me to their security team.

Fighting back

While I was still on the phone with the hosting company, I pointed my browser to eBay and quickly changed my password before this two-bit hustler behind the e-mail could hijack my account.

Because that's the purpose of this whole scam - to get your login and password so they can log into your eBay account, change the password (locking you out), then sell bogus goods under your account (using your good name and rating). After listing these bogus goods (which don't exist), they get some suckers to purchase them (generally using the Buy It Now option of eBay so they can get as much money as possible as quickly as possible before you can get ahold of eBay and have your account frozen), take their money, and leave you to deal with the consequences.

After I got off the phone with the web hosting company, I then used the Internet to find the police department in the town where the hosting company is located, and even used their Web site to find the detective assigned to fraud cases. E-mailed him everything, too – making sure he understood the web hosting company was not at fault – all they did was agree to host someone's domain.

Finally, I went to eBay and found their page about these fraudulent e-mails. From there, I found the e-mail address where you can forward the fake eBay e-mails – and sent them a copy.

What will happen to the idiot who tried to pull this stunt?

I don't know, but it could be serious. Hijacking someone's eBay account is a form of identity theft, which is a felony in most jurisdictions. And I made sure I found the name and address of the person who owned the domain in question and forwarded that to the cops, so they know who was behind this particular e-mail.

Lesson learned

I got off lucky, and I know it. Since this happened a week ago, I've received two more similar e-mails – with two different IP addresses set up to collect logins and passwords.

If I hadn't realized what I'd done and quickly changed my eBay password, I could have ended up with my reputation ruined – and maybe a few lawsuits against me as well. Proving your identity has been stolen is difficult, time-consuming and expensive.

So ... lesson learned.

No more e-mails before coffee.