Tuesday, July 31, 2012

Guest post: eBay, the scammer, and the seller Part 1

In days gone by the best way to be a scammer on eBay was to list a laptop for sale on eBay for an attractive price and send the buyer an empty box.

However this has now changed. The best way to become a scammer on eBay is to be a buyer. When scammers first turned to buying items to get their kicks one of the most popular ways was to use two accounts. Lets assume you want to sell your MacBook Pro which is worth about $800-900 second hand (brand new value $1,500). So in order to attract as many people as possible to bid on your item you start the bidding at a low price ($50 or $100). Now a scammer would log into his first account and place the starting bid (let's say $100) and then log into his second account and place a bid of $1,500 thus ensuring no one would out bid him (I mean who would pay more for the item second hand than you could buy it brand and new?). Now, about a minute before the auction is over he would retract his second bid of $1,500 and the item would be sold to the next highest bidder, which in this case would be himself at the incredibly low price of $100 and he would end up with a MacBook Pro for $100. Obviously the seller could appeal or refuse to sell it and besides this is a very complicated way of getting a free item and eBay have tightened this up, the bid you place is the MAXIMUM you want to pay and the bidding gradually increases as more people bid.

But by doing this scammers now have easier ways of getting free items. All they need to do is claim the item 'never arrived', and to ensure they get their money back they will open a case against you with eBay. Let me explain a bit about cases in eBay. There are two forms of ratings on eBay. One for the buyers and one for eBay (which the buyers don't see). For the buyers there is feedback which obviously the higher the percentage the more trustworthy the seller. eBay generally don't get involved in feedback (unless it dips below a certain percentage or the seller suspects foul play) in which case eBay will intervene and either suspend the sellers account or remove the negative feedback. The way eBay monitor the sellers is by detailed seller ratings (DSR) and by open cases (cases opened by the buyer against the seller).

DSR are those 5 stars you see when leaving feedback for a seller. These rate the seller and the more 5 stars the seller gets the better.

Open cases are any cases opened against the seller for any reason and these are opened in the eBay resolution center. It could be for item not as described, haven't received the item, item is damaged etc...

Now, for a scammer, leaving negative feedback is pointless especially if the seller had thousands of positive feedback. So the scammer will open a case against the buyer claiming he never received the item. Before anything happens the buyer and seller have to communicate in the resolution centre in eBay. After communicating, if the buyer is still unhappy, he escalate the case to eBay who will look into it and make a final decision. Since the case is harmful to the seller the seller may just decide to give a refund and be done. But if the buyer escalates the claim, 9/10 eBay find in favor of the buyer. So the scammer will buy an expensive item and pay for the cheapest shipping (thus ensuring there is no tracking on the item) and then open a case and escalate the claim to eBay and get his money back.

It is that easy to get free items from eBay! (I have essentially written the scammers handbook for eBay! although any scammer already knows this and is no deep dark secret.)

In part 2 I will discuss how eBay is very one sided and even once the scammer has received his money back the seller is still being scammed.


Yossi said...

The picture doesn't show up.

The Real Shliach said...

And now?

Qtap said...

If I was a seller, I'd get tracking for my expensive item even if the buyer picked the least expensive shipping. Delevery confermation is only two or three dollars with the us postal service. Just saying, sellers could easily protect themselves

Yossi said...

TRS: yes.

Qtap: Signature confirmation is only $2 extra within the USA, but even first class within the USA comes with tracking. Delivery confirmation/signature for abroad is $20-30 extra (includes tracking). Its send abroad where we have the issues.

e said...

Oh, life is tough.

Yossi said...

E: Not if you are a scammer ;)

e said...

Did you ever email someone and say "hey! I'm not a big evil corporation. I'm a guy trying to make a living. can you please not take money out of my pocket?"

Leo de Toot said...

Dear Mr. R.S.

Nice to see your blog alive again although I'm concerned about the recent content (even though these are "guest" posts). Describing how to defraud a company could have significant legal consequences (fraud, incitement to commit a crime, provide the means of committing a crime etc.) Although these are "guest" posts you could be considered an accessory and therefore equally liable. Further, given that you and your guest have worked together, the charge of "conspiracy" would be added i.e. conspiracy to commit fraud, etc. thereby significantly increasing the legal liability. I would recommend that your erstwhile "partner in crime" get his own blog and you clearly and unequivocally distance yourself from these posts.

A concerned citizen,

L de Toot.

Yossi R said...


What this is is a security bulletin. In the same way that security researchers will publicly talk about software vulnerabilities they find. The intent is for others to be made aware so that they may protect themselves.

There is also the concept of responsible disclosure. The standard procedure is for the discoverer of a vulnerability to first inform the software vendor privately, and not go public with it until the vendor has had the opportunity to create and deploy a patch. In the sad but all too common case where the vendor simply ignores the researcher, it is acceptable for him to go public with the vulnerability information, so that the world at large may attempt to mitigate their exposure to the vulnerability. After all, if a good guy was able to discover it, odds are a bad guy has as well.

Bringing this back around to the issue at hand, eBay is well aware of this problem, and has been for years. Criminals are already exploiting it in droves. There is zero benefit to be had from keeping this information under wraps. This blog post only serves as a PSA to let the public know that this is going on, and perhaps some seller will not get scammed because he knows to buy tracking for his package even though the buyer isn't paying for that level of service.

Leo de Toot said...

Dear Mr. R.S.

Your guest-blogger confuses several issues:

1. the issue regarding soft-ware is a red herring. There is nothing in his posts that speak to eBay software and its possible problems;

2. he states that eBay is aware of the issue. First, he provides no supporting evidence for this. Second, just because a bank is aware that it could be broken into and have money stolen does not provide one with an excuse to detail how to enter a bank vault, stun the security guards, etc. Such activity could be considered criminal ("conspiring to steal" etc.);

3. He cannot hide behind the "PSA-excuse" after the fact. There was nothing in his posts to suggest that this was a "warning" to users of eBay. In fact he starts off by saying "The best way to become a scammer on eBay is to be a buyer." He goes on to boast that he has "essentially written the scammers handbook for eBay" setting himself up as the authority on how to commit criminal acts.

Sorry, but I'm not buying his claimed "social conscience" that has driven him to warn the company of flaws in its system. (It is also of interest to note his sense of pride in his (alleged) ability to scam/cheat the system - unfortunately one finds this attitude among many individuals professing a religious way-of-life (not necessarily your guest writer of course). I've noted the same attitude when it comes to parking-tickets, taxes, health-code violations, speeding etc. (But I digress.))

Hopefully your (formerly) esteemed blog is not beginning to attract the interest of those in law enforcement who monitor such things...

Tell him to get his own blog where he can proudly post his "insights" into criminal behavior.

And "The Real Shliach" can return to its former glory as a place of insightful social, political and religious comment.

A saddened,


Yossi R (not the guest blogger) said...


I'm sorry to have misled you, but I am not the same Yossi as the guest blogger.

And I stand by my assertion that this is simply an exploration of a broken system. Systems do not need to be software to have security vulnerabilities.

eBay is well aware of this problem, not only because the created it somewhat intentionally (buyers complained louder than sellers), but because I have seen this discussed ad nauseam around the web for years. Here is one from 6 years ago http://www.dansdata.com/ebayscam.htm. A quick google search turns up a thousand more sites like this one.

As for discussing a bank heist, if the bank is aware that it has insufficient security yet has done nothing about it, you would do well to be warned of the situation before you decide to deposit your funds. If the bank does have adequate security, then I would also argue that there is nothing wrong with discussing theoretical, impractical attacks that the bank has no reason to defend against. This last bit is my opinion. There may be room for arguement.

The blog post is written in a sarcastic, bitter way. Those who pick up on this will understand that "essentially written the scammers handbook for eBay" is a literary liberty taken to further the tone of the piece. Your assertion that he has set "... himself up as the authority on how to commit criminal acts.", is laughable.

I can not say with certainty that he has set out to warn others, though I choose to interpret it that way. This may in fact be nothing more than a simple rant by a disgruntled eBay seller. I can clarify that the point is NOT to warn eBay as you seem to presume, but to warn potential eBay sellers. eBay the company is already aware of this, as laid out above.

Now, as far as people taking pride in their criminal ability, I too have noted this unfortunate trait in some with whom I interact, but this guest blogger does not strike me as such.

I dismiss offhand the notion that this post or others of its ilk will attract the attention of law enforcement. The very idea is ludicrous.

I do, however, agree that this guest should get his own soap box. TRS does not feel like the correct venue to air these griefs. As you put it, "[TRS is] a place of insightful social, political and religious comment." This sort of post is out of place.