Phishing Attacks Net 5,000 Stolen eBay Accounts

This week, Christopher Boyd, director of malware research at FaceTime Security Labs, came across a list of stolen eBay logins. The list was 121 pages in length and contained 5,534 stolen eBay accounts, including usernames and matching password and e-mail address.

According to Boyd's report, some of the accounts were not active but Boyd noted enough live accounts in the list that eBay members should be thinking about account security.

The list is likely the result of eBay phishing scams, in which fraudsters send out e-mails falsely claiming to be from eBay in an attempt to scam users into surrendering the private information. EBay phishing e-mails direct users to visit a Web site that looks like eBay, where they are prompted to login using their eBay username and password. The Web site linked in the e-mail is bogus and exists only to steal the user's eBay account information.

In an interview with Boyd, he said, "Many of these accounts would be newly registered users or users with low feedback scores because these users don't tend to use eBay that much, making them prime targets for phishers."

While new users are more likely to be fooled by fake logins, during his investigation, Boyd discovered that the stolen account list did contain the details for several high-scoring, active eBay accounts. "With your account information, a fraudster can contact anyone who asked questions about your items or bid on an item and make fraudulent second chance offers, or even change your profile information and list fake items in order to scam people out of their money.

"Unfortunately, many users will keep their eBay and PayPal passwords the same, making it even easier for both accounts to be hijacked."

This  list of stolen eBay logins, according to Boyd, was a bit different than from what one might normally encounter. Usually, one might find this type of list full of inaccuracies and duplicate entries. In this case, however, the list was well-maintained, very accurate and much, much larger than usual.

"You might find lists with several entries, maybe, up to a thousand but it would be full of duplicate entries, be full of fake account information, and generally be sloppy. This file was not. It was very accurate and carefully put together," he said. 

Boyd also said that most hardcore hackers and thieves who use phishing scams would also not distribute the list, choosing to keep the eBay account information for their own fraudulent use. Boyd suggests that the list he found online may have been the work of a younger hacker, looking to gain a name or "brag points" on some of the elite online hacker forums.

Regardless of the fraudster's intended use of this list, the fact remains that all eBay members, including sellers, must work diligently to protect their eBay and PayPal accounts.

To help its members combat phishing and spoof Web site scams, eBay offers a spoof tutorial, as well as an eBay toolbar which warns you when you are on a potentially fraudulent Web site. EBay members using Gmail can benefit from Google's anti-phishing technology that can help prevent the delivery of many fraudulent eBay and PayPal messages. PayPal also offers a key fob; a portable device that generates a temporary security code every 30 seconds that you use each time you log in to PayPal. The cost for the fob is $5 and it can also be activated with your eBay account. Though these security tools are effective, they only work if you use them.

Boyd said that while he believes eBay offers a lot in terms of security, he doesn't think that users are being educated enough on phishing scams and how they work. "So many people are just not interested in reading pages of data in the help files and so the problem grows. Without education about phishing attacks there will always be someone who falls for the bait."

So how can sellers protect their accounts form phishing attacks? Boyd said to sellers should use different passwords for their eBay and PayPal accounts, and also consider using the Firefox browser which offers integrated anti-phishing tools.

As for the stolen data, Boyd said that the stolen eBay account information was removed from the Web where possible to do so, and that Google quickly acted in removing some of the cached data from the search engine. Boyd also notified eBay of the stolen accounts list. EBay has not yet offered any public comment on the stolen account list found by Boyd.

This article was first published on