Thursday, September 27, 2007

eBay responds to the alleged Vladuz hacking incident

eBay is responding to the latest (alleged) attack on their site by Vladuz by confirming that the account information was valid, however the credit card numbers were not.

Here is what the Chatter (eBay's blog team) has to say regarding their investigation:

I've been in touch with our operations and security teams, and I have more information I can share with you about yesterday's incident on the Trust & Safety discussion forum. In brief, very early yesterday morning, a fraudster posted contact information and alleged credit card numbers for about 1,200 members on our Trust & Safety discussion forum on eBay.com.

While the issue was very unfortunate, it was clearly falsified to cause public concern. Early on eBay's teams verified that the credit card "data" did not match anything on file for these members on eBay or PayPal. After more investigation, including phone conversations with many of the members, it appears that these numbers were not valid at all.

Each of these accounts was the victim of an Account Take Over, most likely through a successful phishing campaign. eBay has been in contact by phone with many of these members, and there is a My Messages email going out to impacted accounts to further our reach.

1200 successful account-takeovers is a fairly large asset for a criminal to part with, even if the credit card numbers were no good. In the hand of the wrong people, 1200 eBay and PayPal accounts can be used to commit a lot of crime.

Here is a description of how account-takeovers are sometimes used from my original post on this latest incident:

Account-takeovers enable criminals to scam others, using someone else's information. They can also be used to fence (sell) stolen merchandise with a high degree of anonymity. It should also be noted that stolen payment (credit/debit) card details are often used to purchase the merchandise, which is then fenced.

To cover their tracks, the scammers often dupe people into laundering the proceeds of these sales in work-at-home (job) scams and wiring the money, normally across a border.


Although eBay is stating that the credit card numbers in this case were no good, they are for sale, along with account-takeover information on the Internet. Because this information is sold over the Internet, the criminals are able to buy and sell this information (globally) without ever actually meeting each other in person.

As I stated in my earlier post, phishing is a method, where a lot of personal and financial information is stolen, also.

Thus far, all anyone can do is speculate as to how the accounts were compromised. It will be interesting to see if anyone gets to the bottom of what actually occurred.

The Anti-Phishing Working Group tracks phishing activity and many experts claim that eBay and PayPal are the most frequently phished brands. They also have some excellent information on how to avoid being a victim and what to do if you think you've become one.

Auction fraud doesn't only occur on eBay and can happen on any of the auction sites out there. The criminals behind this activity tend to go after what is the most popular, which probably has more to do with why they target eBay than anything else.

If you get phishy e-mails that ask you to provide your eBay, or PayPal account numbers, the Chatter recommends you report them to spoof@ebay.com or spoof@paypal.com. They also recommend to go to their Security & Resolution Center if you encounter a problem.

Another place to report phishy e-mails is CastleCop's PIRT Phishing Incident Reporting and Termination Squad. Please note you can also report this activity on the Anti-Phishing Working Group's site, also.

Reporting a phishing attempt might prevent someone else from becoming a victim. Sadly enough, if you have an e-mail address, you probably see phishing attempts on a daily basis.

Post from the Chatter, here.

No comments: