Phishers who steal login data from eBay and PayPal members typically change passwords to lock the owners out of their accounts. Then they siphon cash from the victim's account or use it to set up phony auctions to sell stolen items. Sometimes the scammers auction off items bought using the victim's financial data.
Frank Carpenter, 53, of Charlotte, N.C., could no longer use his Microsoft MSN e-mail account after falling for an eBay phishing scam. Each time he called MSN to reset his password, the thieves would change it. Carpenter thinks they did this to keep him from seeing the confirmation e-mails that eBay sends when a seller lists auction items.
Transcript: Brian Krebs hosted Dave Jevans, chairman of the Anti-Phishing Working Group.
| || |
___Tech Policy/Security E-letter___ Written by washingtonpost.com's tech policy team, the e-mail version of this weekly feature includes an original news article and links to policy and cyber-security stories from the previous week.
Click Here for Free Sign-up
Read E-letter Archive
In the ensuing weeks, his positive eBay feedback rating -- reviews submitted by buyers and sellers to rate the quality of previous transactions -- took a beating as the scammers seized his account and stiffed winning bidders.
Weeks after he discovered the fraud, Carpenter's bank contacted him to verify that he authorized the clearance of a $1,200 electronic check from his account.
"My bank is still trying to get me to pay for that. Meanwhile, I've had to start over again as a new [eBay] member," Carpenter said.
Fraud experts say phishers also are targeting their scams to particular recipients at particular times. According to Netcraft, an Internet security firm based in Bath, England, some of the sneakiest "spear phishing" scams target eBay customers, mainly because buyers and sellers are accustomed to receiving e-mails prompting them to take certain actions at specific times.
In one attack, scammers use eBay's "contact member" form to ask questions of people who have placed bids on a high-priced item, collecting e-mail addresses from bidders who respond to the questions. Days after the auction ends, the bidders receive e-mail messages from someone pretending to be the seller, explaining that the winning bidder backed out and offering them a "second chance." A variation involves sending fake eBay invoices via e-mail to winning bidders shortly after the end of an auction.
"These guys are always trying to get more and more clever, and now they're not only getting better at working out who would be best to send these phishing e-mails to but when," said Paul Mutton, an Internet services developer at Netcraft. "We're certainly going to be seeing a lot more temporal aspects incorporated into phishing, because as the good guys get better at catching up it's really the only way these scams are going to stay lucrative."
Marked for Life
Some phishing victims find that they become an attractive target to other fraudsters. Woodland Hills, Calif., resident Gary Wales fell for a PayPal phishing attack almost a year ago, but hardly a day goes by without a suspicious e-mail or phone call from someone asking for his personal information. Most recently, Wales said, someone called claiming to be a New York stockbroker in charge of his investment account. Figuring it was another con, Wales left him on hold until he hung up.
"You make one stupid mistake and it's like you get put on some giant idiot list that they sell to people saying here are all the people we've been able to steal stuff from," said the 65-year-old Wales, who restores classic cars for a living. "It's gotten to the point now where I just try to have fun toying with them on the phone."
Two weeks after the scam, the fraudsters made 17 withdrawals of $100 from his PayPal account in one day. For the most part, the fraudulent activity stopped after he changed his checking, credit card and savings account numbers.
Then, one week ago, Wales received a call from a fraud investigator at Gateway.com who wanted to know whether he asked to open a new line of credit with the computer maker. Wales said he had to call the man back to be sure it was not just the beginning of another scam. Later, he verified that someone did try to use his information to secure a $4,000 line of credit.
The constant attacks have left Wales feeling paranoid and angry, and all but ready to give up on e-commerce.
"I'm getting close to disconnecting the phone and throwing the damn computer out the window," he said. "Who needs this kind of aggravation?"