Phishing Scams Target Musicians Bidding on eBay for Used Gear
Just when you think it’s safe to go shopping on eBay for used gear, like a vintage tube mic, or analog keyboard, the phishing artists have to ruin my day. Phishing, is the practice of trying to fool you into going to a website pretending to be a legitimate site, like a bank or eBay, or to contact somebody about a product or service through “real looking” email communications.
I had this happen perhaps twice in six years and over 300 transactions on eBay, many for buying or selling old gear, but three times in the past 10 days — targeting me with phony “second chance offers” to buy music gear — definitely shows a concerted effort. In asking around, I found this was not an isolated case, and every musician I asked had received such an offer in their email. So, musicians need to be a little more watchful in email they get from eBay right now (well, really all the time, sadly).
Here’s how the scam works: you bid on an item, like a used Dave Smith Poly Evolver keyboard, or an Oberheim OB-12, and you lose the auction to another bidder who outbid you. You are the second highest bidder. The next day you get an email that “looks” like it came from eBay, with all the correct text, faked reply-to, legal notices, auction item number, but addressed to you. I got one second chance offer apiece after losing out on both of these items this month, so these are actual examples from real auctions.
The email offers to sell you the item and uses the actual text you would have gotten from eBay in a legitimate second chance offer:
- Good news! The following eBay item on which you placed a bid for US $825.78 on Sep-03-06 09:42:25 PDT is now available for purchase:
OBERHEIM SYNTHESIZER OB-12 Z-DOMAIN LIKE NEW w/ GIG BAG (110026433335)
Your Price: US $825.78
Offer end date: 5 business days
Second Chance Offer
The seller is making this Second Chance Offer because the high bidder was either unable to complete the transaction or the seller has a duplicate item for sale.
Now I have received legitimate second chance offers before, but I’ve learned that you MUST go to your “My eBay” account, by going directly to www.ebay.com, and not any link in any email, and once logged in, ANY legitimate message (meaning not phony) will show up in your My eBay panel under “messages” (usually at top of your My eBay panel once properly logged-in). If you do NOT see an email from the seller there for the second chance offer, it’s a scam.
The scam works in one or both of the following ways:
- 1) an email account found in the phony message will use a free account like hotmail, gmail, yahoo, or similar and offer to sell you the item by “sending money” to PayPal — if you send money to this person’s account, you will never get it back, and never get the item!
2) the email will have a phony website address link for you to follow and then log-in to your real eBay account and give away your username and password.
Eeven though it’s exciting to perhaps get a second chance at buying something you wanted, you need to be careful in ANY email that offers to sell you anything online.
A quick way to determine if the email is a phishing scam, is to look at the email “headers” in your mail software (e.g., Eudora, Outlook, etc.), which is a good skill to learn to use, where you would see something like this: (from the scam emails I got)
Delivered-To: [my personal email address was here]
Received: (qmail 21400 invoked from network); 8 Sep 2006 00:53:30 -0700
Received: from hosting.pctech4u.co.uk (220.127.116.11)
As you can see from looking at the headers, it reveals where the email actually came from by both a mail server and I.P. address. By looking at this it’s pretty darn obvious that a message from a U.K. mail server isn’t really from eBay in the U.S.
However, what makes it look legit, is what you normally see in your mail software without looking at the headers:
Subject: eBay Second Chance Offer for Item 110026433335
Now, contrast this with the headers from a “real” email from eBay, in response to my forwarding the fake email to firstname.lastname@example.org (which is the address you should forward ALL suspect eBay email to):
Received: (qmail 26862 invoked from network); 8 Sep 2006 07:47:10 -0700
Received: from mxpool10.ebay.com (HELO mx20.sjc.ebay.com) (18.104.22.168)
Identifying Fake eBay Emails and Websites
eBay provides the following information regarding this issue, which is worth a read to become savvy at spotting this kind of scam:
The best defense against fake emails and Web sites is learning how to spot them. You can learn more about fake emails and Web sites through our Spoof Tutorial at the following Web page: http://pages.ebay.com/education/spooftutorial/
Tracking Down I.P. Addresses
If you feel particulary pissed off about getting this kind of email trickery, you can complain to the hosting company where the email originated. You do this by looking at the headers, and finding the I.P. (Internet Protocol) number, and then enterting that into the ARIN Whois system, found at: http://www.arin.net/whois/
Example, if we use the I.P. in the phishing email, which was 22.214.171.124. Put that into the ARIN search, and we get back the owner of that I.P., which happens to be Everyones Internet in Texas. In most cases there will be an abuse contact, where you can forward the entire scam email (including the long headers), as in this case:
One caution is that, in some cases, smart spammers and phishing farms, will “spoof” the I.P. as well which might look something like domain (hello 126.96.36.199) and then later a real I.P. — point is, when you see more than one I.P., it’s usually the second one that is real and the first one faked. Complaining to the owner of the first number won’t do any good. Or, you can just forward the email(s) to eBay and let them deal with the hosting provider directly. Which they will do.
Well, there you go. Hopefully this will help keep your online eyes and ears open, and not get ripped off while trying to buy that cool piece of gear on eBay.
[tags]eBay scam, second chance offer scam, eBay phishing, music instrument phishing scam[/tags]
Jan 26, 2007 @ 8:36 PM PST
UPDATE: eBay has done a wonderful thing in helping to fight the kind of phishing I talk about in my article, by hiding the information previously dound under ‘bidding history’ – which now hides the username of the bidders on an item, like the example Oberheim keyboard in the story, and replaces the username with “bidder 1,” “bidder 2,” etc.
Here is the official notice found on the eBay.com website:
As the internet evolves, eBay continues to strike a balance between preserving transparency and protecting our Community of members. eBay has decided to change how bid history information is displayed so bad guys cannot target bidders with fake offers using this information. In certain cases, some bidders will no longer be able to view Bidder User IDs on the Bid History page. Your User ID will be shown only to you and the seller of the item you’re bidding on. Other members will see an anonymous name, such as Bidder 1, applied consistently to the Bid History page.
This is a superb response to the enormous amount of fake eBay phishing which made it a challenge to bid on music gear, since you would inevitably get barraged by offers to buy the item from a fraudulent third party.
Jun 27, 2007 @ 7:37 PM PDT
Update – June 27, 2007
CNET’s News.com has good article today on how eBay has targeted and help arrest many of the fraudsters, originating from Romania (.ro) who tried to phish for musicians, et al.