8 Sep 2006
ARTICLE: Just when you think it’s safe to go shopping on eBay for used gear, like a vintage tube mic, or analog keyboard, the phishing artists have to ruin my day. Phishing, is the practice of trying to fool you into going to a website pretending to be a legitimate site, like a bank or eBay, or to contact somebody about a product or service through “real looking” email communications.
I had this happen perhaps twice in six years and over 300 transactions on eBay, many for buying or selling old gear, but three times in the past 10 days — targeting me with phony “second chance offers” to buy music gear — definitely shows a concerted effort. In asking around, I found this was not an isolated case, and every musician I asked had received such an offer in their email. So, musicians need to be a little more watchful in email they get from eBay right now (well, really all the time, sadly).
Here’s how the scam works: you bid on an item, like a used Dave Smith Poly Evolver keyboard, or an Oberheim OB-12, and you lose the auction to another bidder who outbid you. You are the second highest bidder. The next day you get an email that “looks” like it came from eBay, with all the correct text, faked reply-to, legal notices, auction item number, but addressed to you. I got one second chance offer apiece after losing out on both of these items this month, so these are actual examples from real auctions.
The email offers to sell you the item and uses the actual text you would have gotten from eBay in a legitimate second chance offer:
- Good news! The following eBay item on which you placed a bid for US $825.78 on Sep-03-06 09:42:25 PDT is now available for purchase:
OBERHEIM SYNTHESIZER OB-12 Z-DOMAIN LIKE NEW w/ GIG BAG (110026433335)
Your Price: US $825.78
Offer end date: 5 business days
Second Chance Offer
The seller is making this Second Chance Offer because the high bidder was either unable to complete the transaction or the seller has a duplicate item for sale.
Now I have received legitimate second chance offers before, but I’ve learned that you MUST go to your “My eBay” account, by going directly to www.ebay.com, and not any link in any email, and once logged in, ANY legitimate message (meaning not phony) will show up in your My eBay panel under “messages” (usually at top of your My eBay panel once properly logged-in). If you do NOT see an email from the seller there for the second chance offer, it’s a scam.
The scam works in one or both of the following ways:
- 1) an email account found in the phony message will use a free account like hotmail, gmail, yahoo, or similar and offer to sell you the item by “sending money” to PayPal — if you send money to this person’s account, you will never get it back, and never get the item!
2) the email will have a phony website address link for you to follow and then log-in to your real eBay account and give away your username and password.
Eeven though it’s exciting to perhaps get a second chance at buying something you wanted, you need to be careful in ANY email that offers to sell you anything online.
A quick way to determine if the email is a phishing scam, is to look at the email “headers” in your mail software (e.g., Eudora, Outlook, etc.), which is a good skill to learn to use, where you would see something like this: (from the scam emails I got)
Delivered-To: [my personal email address was here]
Received: (qmail 21400 invoked from network); 8 Sep 2006 00:53:30 -0700
Received: from hosting.pctech4u.co.uk (18.104.22.168)
As you can see from looking at the headers, it reveals where the email actually came from by both a mail server and I.P. address. By looking at this it’s pretty darn obvious that a message from a U.K. mail server isn’t really from eBay in the U.S.
However, what makes it look legit, is what you normally see in your mail software without looking at the headers:
Subject: eBay Second Chance Offer for Item 110026433335
Now, contrast this with the headers from a “real” email from eBay, in response to my forwarding the fake email to firstname.lastname@example.org (which is the address you should forward ALL suspect eBay email to):
Received: (qmail 26862 invoked from network); 8 Sep 2006 07:47:10 -0700
Received: from mxpool10.ebay.com (HELO mx20.sjc.ebay.com) (22.214.171.124)
Identifying Fake eBay Emails and Websites
eBay provides the following information regarding this issue, which is worth a read to become savvy at spotting this kind of scam:
The best defense against fake emails and Web sites is learning how to spot them. You can learn more about fake emails and Web sites through our Spoof Tutorial at the following Web page: http://pages.ebay.com/education/spooftutorial/
Tracking Down I.P. Addresses
If you feel particulary pissed off about getting this kind of email trickery, you can complain to the hosting company where the email originated. You do this by looking at the headers, and finding the I.P. (Internet Protocol) number, and then enterting that into the ARIN Whois system, found at: http://www.arin.net/whois/
Example, if we use the I.P. in the phishing email, which was 126.96.36.199. Put that into the ARIN search, and we get back the owner of that I.P., which happens to be Everyones Internet in Texas. In most cases there will be an abuse contact, where you can forward the entire scam email (including the long headers), as in this case:
One caution is that, in some cases, smart spammers and phishing farms, will “spoof” the I.P. as well which might look something like domain (hello 188.8.131.52) and then later a real I.P. — point is, when you see more than one I.P., it’s usually the second one that is real and the first one faked. Complaining to the owner of the first number won’t do any good. Or, you can just forward the email(s) to eBay and let them deal with the hosting provider directly. Which they will do.
Well, there you go. Hopefully this will help keep your online eyes and ears open, and not get ripped off while trying to buy that cool piece of gear on eBay.
Article is Copr. © 2006 by Christopher Simmons – all rights reserved. Originally appeared on MusicIndustryNewswire.com.