BlackGuardian

The Prevalence of Scamming on Our Favorite Shopping Sites

During this search, I became aware of how prevalent scamming has become and the seemingly high-volume migration of craigslist scammers into other marketplaces and platforms.

A while back I was on the hunt for a new (to me), used, laptop to add to the arsenal. One that I could use for both security related work and video editing on the go. I settled on snagging a used MacBook Pro MJLT2LL/A.


During this search I became aware of how prevalent scamming has become and the seemingly high-volume migration of craigslist scammers into other marketplaces and platforms. These scams may not cause victims, providing you're somewhat paying attention to the world around you and the things that you are engaging in, to lose money, but it can easily subject them to a significant amount of anger and frustration.

Amazon Marketplace

"There's no way I can get scammed on Amazon right?". Naw.

Rule one of both the internet and life:

If it's too good to be true, it probably is.

This holds especially true when $ is involved.

alt


alt


The two screenshots above were taken weeks prior to the examples and actual interactions below and the original price disparity was far more drastic, and therefore far more evident at the not-at-all-suspicious price of $800 for a $3500 laptop.

But I mean maybe, it's legit. Logical analysis says that statistically something is up... but of course you have to check it out, I mean, it's on Amazon.


Now prior to continuing, I want to highlight the fact that there are two main scamming scenarios that I have noticed on the Amazon Marketplace. Both of which take place using either:

  • Fake Marketplace Sellers: These are simply accounts made by scammers for them to list and sell goods that don't actually exist.
  • Hacked Marketplace Seller's Accounts: These are accounts that have been compromised in one way or another, aiding in the goal of the former, allowing scammers to leverage the (likely) reputable nature of an active seller's account.
Method Number One: External Payments.

Queue the inherently sketchy statement(s) in the item description:

Before purchasing this item, please email us at best-marketplace@tech-center.com.

At this point any person that is weary with their dollars and is not using Amazon for the first time would bail out, however, wanting to see where this was going, I reached out to the actual marketplace seller prior to contacting the sketch-lord-random-email in the innocent instructions in the item description.

alt

we don't sale that, you get the wrong address

Now due to this eloquent response it is clear that this is a scam and that the marketplace seller has no clue that this item is for sale, by them. But again, for data, lets see where this goes if we actually follow the instructions.


alt

If you want to buy, please confirm your shipping details and we will place your order.

These details, of course, include your payment information. However if they do not, this generally leads a rabbit hole of attempting to acquire account credentials as well as other bits of information from the user, taking us to the second method of Amazon scamming.

Method Number Two: Scamming via Hacked Accounts.

Initially I planned on going into detail on this, but it ended up being highly redundant. This method in practice is the same and the image(s) above showcase exactly what happens when a compromised account is leveraged to list items that the seller does not actually intend to list and/or does not actually own.

The main issue (aside from the account compromise) is a lack of second factor verification when adding or removing credit cards/banking information to the Amazon seller area. This affords attackers the ability to add and remove banking information at will without notifying the legitimate account owner.

Attackers can be passive rather than proactive with this, though difficult to confirm from the outside. Passive in that they do not necessarily have to list anything providing the account already has items up for sale. By changing the banking/accounting information that the compromised account has listed, attackers can theoretically redirect these legitimate funds to themselves.

Ebay Marketplace

The current mentality of people shopping online and combined with some of the demographics (non-technical people & family members looking for gifts, older people looking to buy/sell random items etc.) that tend to gravitate towards Ebay, makes its marketplace an ideal place for scammers.

When Ebay and Ebay-esque sites were emerging and becoming more prevalent (i.e. sites like Amazon/Alibaba/Overstock/Etsy), more people were cautious and relatively suspicious of the process itself. Unfortunately the vast majority of us have become used to, and subsequently desensitized with, the easy-to-use flow of online shopping. These sites enable us to purchase with as little actual user-interaction as possible, ensuring at every turn that we are protected by their policies and the fact that there are shiny shield icons placed at every loading screen and purchase/bidding page.

Combining the above with our ingrained societal tendencies for trusting in the consensus of the masses:

alt

Scammers and attackers who compromise valid user accounts can leverage the preconceived trustability afforded to these accounts by seller reviews and via seller's reputations, to convince victim users to circumvent the standardized purchasing safeguards.

The way that this is most commonly accomplished on Ebay is identical in most aspects to Amazon. Although with Ebay, the compromised account(s) -> external payment route, appears to be a much more prevalent issue.

alt


alt


alt


canceledorder


selleremail

We can also see sellers/scammers attempting to "double-dip"-


cmonbruh


by accepting payments after modifying account information, so that they can not only receive the initial payment, but can attempt to convince victims to pay again outside of the normal channels.


alt

Ebay Specific Methods [2'ish]:

The reason that there are 2'ish different ways that I wanted to cover for Ebay specific ways is because most are simply variations of the same: convincing the victim(s) to purchase something outside the standardized Ebay payment process.

  • Asking for payment before the bidding process is over. "Send payment to thispaypaladdress@gmail.com, and I will just end this early and ship the item to you, something is wrong with this auction anyway." Nothing is wrong, don't.
  • Having the auction finish, canceling the sale by calling the item defective, and asking for payment via outside channel(s). For example: "Please send payment to thispaypaladdress@gmail.com and I will just send you a non-defective version of the item." They won't. Don't.
  • Claiming that as a buyer they will be unable to wait for the bidding to end due to some unknown issue "my network", "my children", "my work schedule". For example: "Please text me your PayPal email letting me know that you accept my offer of $x and I will send the payment over to you." Don't. See the "OL' REVERSE" below for additional information.

Actual examples:

scamex1


scamex2

  • Similar usernames... check.
  • Identical messages... check.
  • Identical phone number... check.
  • Lack of imagination and total reliance on human's thinking that it would be odd for someone to go through this much effort simply to scam one person... check.
Lastly - "the OL' REVERSE":

A buyer asks you for your PayPal email while you're selling a product, typically by specifying they want a different quantity and/or portion of the item(s) that you have listed for sale- rather than going through the proper channel(s) and simply purchasing it.

"Hey I don't want to buy the entire item"

"Hey I don't need 30 of X_item, just 10"

"Could you send me your PayPal email? How much would it be for just that amount, I would be glad to pay it."

Significant issues with "the OL' REVERSE":

  • These requests often will originate from trustable accounts (high sell count, high reviews, good rating). They aren't. They have been compromised and are not controlled by a trustable entity..
  • You may actually get paid. You won't. They will conduct a "chargeback" and you will lose that money (Information on chargeback(s) [1][2][3]).

The fact that we can see these attempts being so blatantly blasted across platforms, and the fact that they are being conducted with such frequency on two sites that are fairly adept it their monitoring and removal of such things, means that this is undoubtedly a much larger issue for less proactive platforms. We can also see just how long this has been occurring by reviewing the timestamps of the various posts from Ebay users.

Simply put, many things have improved and evolved with our ecommerce experience from a usability standpoint as well as from a security baseline. TLS/SSL is finally a standard on most sites, and 2-factor authentication is being offered almost everywhere- if neither of these are offered on a site that is readily and frequently handling your financial information I would recommend you rethink using that site altogether. Most of these platforms do everything they can do hold their user's hands, and to ensure that scams like this do not take place. If trust in the respective platform diminishes, so will the platform's user-base and their profitability/profit margin with them. Unfortunately they cannot catch everything, and as a result, awareness, and discernment are still requirements when shopping online.

Lessons:

  • Be aware.
  • Trust none.
  • If it's not standard, simply say no.
  • If you are unsure, ask (Contact Help).

Stay suspicious.

More posts
BlackGuardian
Piercing the Boundaries: BRM Capability and B2B Collaboration.

Let’s take a deeper look to understand a Business Relationship Management Capability then what is meant by B2B Collaboration and finally defining what needs to transpire in order to pierce the boundaries.‍

read more
BlackGuardian
Culture Shock: Developing a Workplace Culture that Fosters Your Brand-New BRM Capability

Culture Shock is usually an understatement when an organization makes the commitment to implement a BRM Capability.

read more
BlackGuardian
Analyzing and Weaponizing the Latest OpenSSH Enumeration Vulnerability [CVE-2016-6210]

Analyzing and Weaponizing the Latest OpenSSH Enumeration Vulnerability

read more