Computer Crime Research Center

eBay account hijacked, bidders bilked in 'rampant' fraud

For a couple of days last month someone was auctioning Sony camcorders from Kevin Pilgrim's eBay account. But the auctioneer wasn't Pilgrim, who lives in Raytown, Missouri.

More than two dozen online bargain hunters agreed to pay $US605 ($A1,029) apiece, in some cases wiring money to Germany. But there were no camcorders. The two-day auction was a fraud.

While bidders got ripped off, the bad guys got away - at least for now. The scammers who hacked into Pilgrim's eBay account to woo unsuspecting bidders did their dirty work before eBay could shut his account down.

A frustrated Pilgrim watched the crime unfold, able to do little more than desperately email warnings to bidders. Even the FBI told him that while these electronic purse snatchings were rampant, they could not afford to tie up agents' time on each one that popped up.

"We get calls like this every day, and that shows how rampant this is," said Jeff Lanza, a spokesman for the FBI in Kansas City.

Although auction fraud is skyrocketing as online commerce grows, consumer protection is not keeping pace.

As a result, auction users face growing risks. Increasingly, they are pressing for more safeguards. And some outraged consumers are becoming online vigilantes.

"You've got this monster market on the internet, but you can be witnessing a crime in real time and be helpless to do anything," Pilgrim said. "There's no 911 number you can call."

Online auctions are a modern phenomenon, attracting millions of users willing to buy everything from toasters to sailboats from people they have never met.

The gorilla of the industry, eBay, posted revenues last year of more than $US240 million ($A408.3 million). While eBay won't release user numbers, it's been reported that 35 million people regularly buy and sell at online auctions.

"What we say is that we do $US30 million ($A51.04 million) a day in business," said eBay spokesman Kevin Purseglove. He said fraud taints no more than 0.01 percent of the transactions.

But that means lots of users still get burned. Some experts believe the number of frauds may be higher, simply because they are so hard to track.

"It's trying to hit a moving target," said John Giubileo, vice president of products and services at Kansas City-based eSecurityOnline. "By the time they're discovered, they're someplace else."

The National Consumers League's internet Fraud Watch reported that after several years of decline, online auction complaints soared in 2002, accounting for 87 percent of all internet fraud complaints it received. The league said internet fraud last year cost consumers $US7,209,196 ($A12.26 million), which they calculated at $US484 ($A823) per victim.

The Federal Trade Commission's Consumer Sentinel, which gathers online fraud complaints for a consortium of law enforcement groups, received more than 20,000 internet auction fraud complaints in 2001, reflecting the huge challenge facing investigators.

While there are a lot of scams, each one might affect no more than 50 people, a number unlikely to ring bells at the FBI. "If you have 1,000 victims, that's a different story," Lanza said.

While online auctions rely on trust between buyers and sellers, scammers take advantage of that trust to do their dirty work.

In the past, many scammers simply opened their own accounts to hoodwink bidders. But they were more easily traced.

Now, the scammers - often international gangs - have wised up. They hack into the accounts of users with good reputations, sellers who showcase their positive feedback, and use those good reputations to ambush bidders.

That's what happened to Pilgrim. On December 16, when he checked his email, he found 18 eBay users wanting to buy camcorders from him. When he tried to access his account, he found he was locked out. The password had been changed.

He reported the fraud using an eBay message prompt. An automatic response said eBay would get back to him in "12 to 36 hours." He then phoned Raytown, Missouri, police, who said they were not equipped to investigate internet crimes.

The next morning, the final day of the auction, Pilgrim called the FBI and the internet Fraud Complaint Centre, run by the Justice Department, which gave him a complaint reference number.

Meanwhile, Pilgrim frantically returned emails to as many bidders as he could, warning them of the fraud. "I was concerned that people thought I was the guy perpetrating the fraud," he said.

More than 40 people had responded to the auction. An unknown number already had paid. Craig Rettmer, a Kansas City audio engineer, was one of the unlucky ones who lost $US605. ($A1,029).

"Kevin (Pilgrim) was quick to tell me he wasn't selling anything," said Rettmer. "I felt like such a fool."

Rettmer and other victims were beguiled by the scammers' slick appearance on the Net.

After taking over Pilgrim's site, the scammers advertised Sony digital cameras at a "buy now" price $US200 ($A340) below retail. The site included technical information and even offered gift wrapping.

"They made you feel very comfortable," said Rettmer, who had been looking for a camcorder to buy as a Christmas gift for his daughter.

In retrospect, the payment directions should have raised a red flag. Bidders were told to wire payments by Western Union to an address in Nurnberg, Germany. Hoping to get his camera before Christmas, Rettmer wired cash. Other bidders paid by credit card and remain hopeful that they will get their money back.

Terri Carlson, who lives in Hawaii, got her money back. She ignored the Western Union directions and paid through PayPal, an internet account that allows bidders to use their credit cards.

Carlson hasn't given up on auctions. But she's now more wary. "There wasn't any way to put the brakes on by eBay, and that seems a little strange to me," she said.

Ebay didn't suspend Pilgrim's account until Dec 18, after the auction was over. By then, the scammers were gone.

Purseglove, of eBay, acknowledges that the auction company appeared slow to react in Pilgrim's case. But he said that was unusual. He said eBay tries to respond immediately to customer concerns.

internet experts say the increasingly popular auctions have been the target of thieves.

"Certainly the auction sites should have the equivalent of a rapid-response team," said Beau Brendler, director of Consumer Web Watch, a division of Consumers Union, which publishes Consumer Reports.

JA Hitchcock, author of Net Crimes & Misdemeanors and president of Working to Halt Online Abuse, said one concern for the auctions is the cost of increasing security.

"Companies like these have grown too big, too fast, and are more concerned with the bottom line than their customers, which is a shame," she said.

Purseglove disputes that. He points to the numerous fraud warnings and tips eBay provides to its customers. He said two of the more ingenious methods hackers use to crack accounts include:

- Sending a user an email purporting to be from eBay asking for private and detailed information, which is then referred to a "spoof" site, where it is harvested by the hackers. He said eBay never asks users to provide that kind of private information.
- Using robotic "dictionary" programs that surf through accounts trying every word until they find one that works as a password. Use of symbols in a password can help thwart this kind of internet assault.

Asked if an internet 911 number would help, Purseglove said it has been discussed. But a potential problem is that people would also use the number for nonemergencies.

Others suggest that eBay and other auctions use programs that can detect excessive attempts by hackers to crack a person's account password and then lock them out. Purseglove said that method is being considered.

Still, as complaints rise, FTC officials say consumers need to check out the security offered by the auctions.

"Some auction sites offer more protection than others," said Delores Thompson, an FTC attorney who specialises in internet auctions. "Consumers should shop around. "

Some consumers aren't waiting for the auction sites or law enforcement to bear down on auction frauds. They're rooting through the internet to find the bad guys themselves.

"They say it's a small-scale fraud," said Alan Pollack, a Los Angeles physician who bought one of the camcorders offered on Pilgrim's eBay account. "But when it happens to you, it's a big deal."

Pollack is part of a posse of victims who have hunted down frauds on other sites and warned bidders. So far they have identified three.

They look for potential fraud markers, including opportunities to buy now at prices too good to be true and with directions to wire payment to a foreign address.

Pollack became an activist after calling the Los Angeles Sheriff's Department for help and being told there wasn't much it could do.

Pollack and his small internet posse have pursued the scammers who stole Pilgrim's site through German authorities to what appears to be a rooming house in Nurnberg, Germany.

The vigilantes recently were notified that their documentation was sent to the police in Nurnberg, and that the police are investigating.

Back in Raytown, Pilgrim is still clearing negative feedback off his site, which has hurt his reputation as an eBay trader. He hasn't decided to stop using eBay to trade in Indian art, but he thinks the site fell short in his case.

"They've got a great system but they didn't think to install a security system that is usable in an emergency," he said. "My identity was stolen and people lost a lot of money."


Home | What's New | Articles | Links
Library | Staff | Contact Us

Copyright Computer Crime Research Center 2001, 2002 All Rights Reserved.
Contact the CCRC Office at +38 061 220 12 83