New eBay fraud tactic: Viral Porn Trojan Horses (VPTH)
A new tactic (which we have dubbed VPTH) has hit eBay hard the last couple of days. Unfortunately it's a really clever way to get lots of eBay uids/passwords AND it's very viral so it appears to be growing at an exponential rate.
Here's how the bad guys do it:
1. They use normal Phishing techniques to get an ebayer's uid/pwd (preferably a seller with some good feedback).
2. They post toins of malicious listing to popular categories. In the listings they:
- Use something like porn imagery to draw heavy click-through to the listing
- Turn on every eBay bonus feature you can imagine: bold, highlight, gallery plus, featured plus, etc. (hey they aren't paying so why not?!)
- Lots of timese these are 1 day auctions so they are indexed quick and TnS doesn't have much time to a) find and b) react.
3. Now the bad guys have tons of BUYER userid's and logins, which they then use to get into paypal accounts, launch more auctions and cause general mayhem.
In the last two weeks this scheme is happening more and more frequently. Yesterday the entire shoe category was full of these things.
Here's a real world example from yesterday (the black boxes are mine as this is a family oriented blog)->
If you saw this and clicked on the first listing, then entered your user ID and password, you can say goodbye to your ebay identity, potentially your paypal plus your account would be harvested for emails and you would be on every spammers list very quickly. Most likely your password would be immediately changed (I'm sure they have spiders for this) and your account added to the hijacked list, then more listings would be introduced from your account (this is where the geometrical progression/viral part of the scheme comes in).
Buyer and seller tips to avoid this scheme:
1. Never ever ever click on a link in an email.
2. Whenever you do login to eBay, make 100% sure to look at the URL and make 100% sure you are at ebay.com (the front part, one trick these guys use is they make the URL so long it's truncated in the addr field and you see the back end and miss the badguy.cz part)
3. eBay's advice would be to use the eBay toolbar, I'm not sure that would help in this particular situation and there isn't a big penetration of the eBay toolbar.
4. Sellers - use something like this with your employees, it will catch these bad logins: http://www.roboform.com/pass2go.html and keep your login info more secure.
5. Finally (and I know this is a tough one), if you see some porn in a category that doesn't seem to make sense, I'd recommend fighting the urge to click on it. ;-)
Trust and Safety at eBay, we implore you:
0. You guys have a tough job, these bad guys are really targeting eBay heavily and we feel your pain. But, eBay just makes it too easy for this to happen, let's raise the bar much much higher!
1. eBay must immediately stop the practice of having any links in any eBay emails. The pay now button, the yellow button, outbid notices, payment reminders, feedback reminders, all of these emails have clickable links and the phishers are insanely good at faking these messages. I'm sure folks in marketing will fight this ("buyers won't come back, etc."), but this is such a widespread problem that we have to collectively take that risk. If buyers feel safe they will spend more long-term, let's focus on that vs. some short term concern over the "pay now" button not going out in an email.
Bottom line: PLEASE NO LINKS IN EMAILS PAYPAL AND EBAY!!!
3. (bonus solution) The phishers also are somehow (maybe there's a database out there?) able to use the seller and bidder/buyer's ID on eBay and match that to an email for the buyer/bidder and leverage that information to very cleverly send out these outbid notice, paynow notice, fake second-chance-offers, and make them look like they come from the seller etc. No third party should be able to inject themselves into the transaction and hiding emails isn't working so it's time to somehow obscure or mask ebay user IDs. Only the seller should see the ID of the winning bidder. In fact, maybe sellers shouldn't see the underbidders (let eBay handle SCOs) and the seller ID should be somehow obfuscated as well.
4. The eBay login screen should have a spider defeater (CAPTCHA thingy) on the login forms so that spiders can't fill these out.
5. Send all top-sellers a free ebay-branded, USB-powered ebay password encryption system and turn off the site for these sellers. Something like this solution: http://www.roboform.com/pass2go.html
6. There are all kinds of low cost new devices and technologies for security. This company has a biometric FOB. Many citibank customers now get a special encryption device that downloads a unique number you enter into the web page to prove its you.
Protect your top sellers!