eBay is one of the largest e-commerce websites available, especially to people in countries without Amazon. It does not sell its products directly, but instead relies on its users, therefore making an important distinction between sellers and buyers.
Technically speaking there is not any restriction, which means a buyer can sell an item, and, of course, a seller can buy something, however usually you find accounts that only do one thing. Each user has a score on their profile as a seller and as a buyer, which means the reviews of every transaction are not merged.
Today I am going to post a story about something that happened to me, and how the attacker pulled it off. This method seems to work and is able to extract the Personal Information of unsuspecting eBay users.
I have then contacted eBay support over Twitter, e-mail, and via their website, and they mentioned there’s nothing they can do and nothing they are willing to do. That means that if you fall for this scam, which is really difficult to avoid, given the circumstances, all your information is handed out to a hacker and you get no protection. Like it wasn’t eBay’s fault.
So let’s begin with the story. I was at my iPhone one day and I was browsing for network equipment on eBay, and more specifically the “New” category. I thought of searching for Access Points, since I may be in need of some. After the iOS Application returned the results, I sorted them by “Price + Shipping, lower first” since I did not want to buy anything, just look at the prices.
After almost no scrolling, I find a great offer:
A pack of 3 UniFi APs by Ubiquiti, the same series with the ones I currently have at home. They were the base model, which is 2.4 GHz only, but still is of very good quality with very good features. This pack is currently retailing for € 162.57 but the listing I found had it for only CAD 30.00, or about € 20.00 at that time.
Usually when I find this kind of price in such an item I am really skeptical, so I immediately opened the item on my laptop. I checked the seller, and there were 1-2 sold items and many purchased. The item was also cover by eBay’s Money Back Guarantee, which means that if I don’t receive the item or it does not match the description, I have the right to get back the full amount I paid for. So the only thing that’s left is to check the description.
After 5-10 minutes, I found out this listing is for a new item, in its retail packaging. The box also includes the Access Point (so it’s not just the packaging), as well as the PoE Adaptor to power it. The description seemed perfect, if I did not receive what I was looking for, I was 99.9999% sure I would get my money back.
I went to the Buy button and set the items to two since there were 10 available. eBay presented me with an error saying that the seller is only willing to sell one per person per week, which for some reason seemed plausible at this price. Keep in mind this is not the latest model, therefore this could have been someone who wanted to get rid of their stock quickly.
I then changed the amount to one, added my shipping address, paid via PayPal, and wished me luck. No errors, no nothing.
Three days pass (it was a weekend), and on Monday I get an e-mail from eBay:
This is the first time I get such e-mail from eBay therefore I carefully verified it was sent from the original service and is not somehow sent from the seller.
I followed the instructions and opened a case in the Resolution Center. The way this system works is that my e-mail is sent to the seller first, and if they don’t resolve the problem in 3-4 days, I can escalate this to eBay Support. So basically they’re asking me to tell the hacker that he hacked the account and I want my money back. Makes perfect sense.
After I submit the case, I contact eBay on Twitter and ask them whether I can skip the 4 days and reach directly to their support. They reply and ask me to DM them. I then told them why I needed to contact their support:
They replied that I should open a case and there should be a button to escalate immediately. No such button was found, therefore I e-mailed them.. I sent them all the required details and told them that I was referred here by Twitter Support. I got a reply two days later with two sentences:
Sorry Antonios I can’t see the DM from earlier. What’s going on with this case that we can help you with? Keep us posted! ~Jasmen
The rest of the story involves me trying to explain to them that now somebody who hacked an eBay account has my full name, address, phone, and anything else I have on my account (since it’s sent to the seller).
In a normal transaction this is perfectly fine, because I consider the seller legitimate and I am confident they will not abuse the information. But now, a malicious person has that information, and possibly other details from the PayPal transaction.
The response to that by eBay is that they have a Privacy Policy (which I’m sure the hacker will follow) and that I can get my money back, which I did. I received a full refund.
So here it is.. Are you interested in doing identify theft? Well, you shouldn’t. It’s illegal. I am not telling you to do it. However, theoretically speaking, you can’t get much info with this method, but you only have to open an eBay listing for a nice product:
iPhone 6S 64 GB Unlocked New Retail Box $399.99
After that, you’ll start getting names, e-mails, PayPal transactions, addresses, access codes, anything. If eBay ever reaches to you, just claim your account was hacked. It helps if you use a VPN / Tor to list the items. You can even open a case with eBay a week after the listing to say that someone listed items and you get orders without knowing what to do.
Of course I am not saying this is the case with the current item, nor am I saying you should do this. The above is entirely hypothetical, theoretical, for academic purposes only, and should not be performed or considered advice or tutorial. I am not responsible for your actions before, during, or after reading this blog.
Let me know in the comments if you had a similar case with eBay, or even Amazon, and how the site handled it. From what I know Amazon gives out your Personal Info via their Support Chat if you can Socially Engineer them, but this method allows for mass collection since the victims come to you.