Interhack Home
Navigation

Interhack News
Year 2008
Year 2007
Year 2006
Year 2005
Year 2004
Year 2003
2003 Top CAT Nomination
HIPAA Security Solutions
From War Room to Board Room
Educational Background for Information Assurance
Forensic Computing Forum
Confessions of a Hacker
Expert HIPAA Security Training
Common Myths on Common Lisp
Computer Incident Response at INFOSEC Forum IV
Pete Ware Awarded CISSP
Litigation in Cyberspace: Electronic Discovery
HIPAA-SECURITY
PrivacyCon 2003
www.ohiohipaa.org Comes Online
Interhack Brochure Wins Bronze Quill Award
'Anatomy of Online Fraud' Released
Computer Forensic Training
Court Rules on Online Privacy
Law Seeks to Stem Identity Theft
The Key to Fraud Prevention
Is Network Security an Oxymoron?
Ohio Health Information Management Annual Meeting
HIPAA Security HyperRule Released
INFOSEC Forum: Making Security a Team Effort
Patch Panel: How, Why, and When to Patch Systems
Wireless Networks Open Another Avenue for ID Theft
Avoiding Vulnerability to Worms
Interhack sponsors HIPAA Road Map
INFOSEC: Friend or Foe?
Year 2002
Year 2001
 News

Release of "Anatomy of Online Fraud: How Thieves Targeted eBay Users but Got Stopped Instead"

COLUMBUS, OHIO--(June 20, 2003). Interhack releases "Anatomy of Online Fraud: How Thieves Targeted eBay Users but Got Stopped Instead", a technical report documenting an online fraud case targeted against eBay users. In the past week, two similar fraud schemes have been launched against Best Buy users.

The report should be of interest to users of web sites for commercial activity, developers and operators of such sites, security professionals, and law enforcement officials who need to deal with cases of online fraud.

Available free of charge from Interhack's Web site, the report details how the fraud was committed, how the perpetrators were identified and reported, and how law enforcement officials were alerted.

In a nutshell, it works like this:

  • The attacker builds a fraudulent web site that looks just like eBay's.
  • The attacker sends email out to eBay users telling them that they need to re-enter their credit card number, giving a link in the email that looks like an eBay link but really goes to the attacker's web site.
  • The user logs in to the attacker's web site, using his eBay name and password. The attacker's site will accept anything and store it.
  • The user then is told to enter his credit card number, which he presumably does, and the attacker's site saves it.
  • The attacker's site shows a "thank you for updating your account" page, and thinks that everything is normal. Meanwhile, the attacker can do whatever he likes as that user on the eBay site, and can use the victim's credit card number for any purpose.

Users can defend themselves against these kinds of schemes simply:

  • Do not be rushed -- take the time to think about things if they seem strange.
  • Follow established procedure -- beware of anything that urges you to break the normal process in order to speed things along or for any other reason.
  • Question things you don't understand -- don't be afraid to keep asking questions until you get a reasonable explanation.
  • Verify that you're on the web site you think you are before entering in any information.

There are some good things to note:

  • The sender of the email and the web site host were identified quickly
  • The fraudulent web site was down a few hours after the fraud started
  • Federal law enforcement was easy to reach

The report is available in PDF and HTML.

 
Contact Privacy Policy (c) 2001-2008 Interhack