Release of "Anatomy of Online Fraud: How Thieves Targeted eBay Users but Got Stopped Instead"

Dissecting recent fraud targeted against eBay (and, more recently, Best Buy) users, Interhack's technical report "Anatomy of Online Fraud" is now available for download.

COLUMBUS, OHIO--(June 20, 2003). Interhack releases "Anatomy of Online Fraud: How Thieves Targeted eBay Users but Got Stopped Instead", a technical report documenting an online fraud case targeted against eBay users. In the past week, two similar fraud schemes have been launched against Best Buy users.

The report should be of interest to users of web sites for commercial activity, developers and operators of such sites, security professionals, and law enforcement officials who need to deal with cases of online fraud.

Available free of charge from Interhack's Web site, the report details how the fraud was committed, how the perpetrators were identified and reported, and how law enforcement officials were alerted.

In a nutshell, it works like this:

  • The attacker builds a fraudulent web site that looks just like eBay's.
  • The attacker sends email out to eBay users telling them that they need to re-enter their credit card number, giving a link in the email that looks like an eBay link but really goes to the attacker's web site.
  • The user logs in to the attacker's web site, using his eBay name and password. The attacker's site will accept anything and store it.
  • The user then is told to enter his credit card number, which he presumably does, and the attacker's site saves it.
  • The attacker's site shows a "thank you for updating your account" page, and thinks that everything is normal. Meanwhile, the attacker can do whatever he likes as that user on the eBay site, and can use the victim's credit card number for any purpose.

Users can defend themselves against these kinds of schemes simply:

  • Do not be rushed -- take the time to think about things if they seem strange.
  • Follow established procedure -- beware of anything that urges you to break the normal process in order to speed things along or for any other reason.
  • Question things you don't understand -- don't be afraid to keep asking questions until you get a reasonable explanation.
  • Verify that you're on the web site you think you are before entering in any information.

There are some good things to note:

  • The sender of the email and the web site host were identified quickly
  • The fraudulent web site was down a few hours after the fraud started
  • Federal law enforcement was easy to reach

The report is available in PDF and HTML.