Interhack

Anatomy of Online Fraud: How Thieves Targeted eBay Users but Got Stopped Instead

At 10 p.m. on Saturday, June 14, 2003, I received a call from a client. His wife had just received email that claimed to be from eBay, asking her to enter her credit card number. By 11 p.m., I had reports to the Internet service providers whose systems had been used to originate the message and to impersonate the eBay web site, as well as to FBI in Washington, D.C.

Here we discuss the fraud in detail, showing how it was constructed, how it was stopped, and what consumers can do to protect themselves against these kinds of attacks.

1 Introduction

Criminals have long preyed upon the expectations of users who can be fooled into doing things they shouldn't. The fact that this can now be done online—where fooling someone around the world is just as easy as fooling someone across town— should come as a surprise to no one.

Here we consider a recent scheme directed at eBay users, in an effort to collect their usernames, passwords, and credit card numbers.

The scheme involved sending email to eBay users, telling them that there was a problem with their credit card, and asking them to visit the eBay site, helpfully providing a link. While appearing to be from eBay, the email was actually from a cable modem user in Canada. Following the link in the email would not take the user to the actual eBay site, but an imposter.

Matt Curtin

June 20, 2003

Id: fraud-anatomy.tex,v 1.3 2003/06/20 19:06:39 cmcurtin Exp

Abstract