EBay Account Hijack?

Posted by: BrianD on 14 January 2005

Need some quick help, I think.

Logged on and brought up Outlook Express to find an e-mail from Ebay thanking me for submitting a request to change my e-mail address with them. The Email gives a link I can select if it wasn't me who requested the change, it wasn't me. Going to link takes me to EBay where the advice among other things is change my password.

This was the link

http://pages.ebay.co.uk/help/confid...ount-theft.html

I closed the browser at this point, cleared the cache and relaunched the browser going to EBay via my normal method. I logged in to find there was an item for sale that was even listed as a spam item - do not bid. I deleted the listing, changed my EMAIL address but not my password and sent an e-mail to EBay.

Anyone seen this kind of thing before?

What else should I do about it?

Tks

Brian

[This message was edited by BrianD on Fri 14 January 2005 at 20:57.]
Posted on: 14 January 2005 by garyi
Looks like you have been hijacked.

The general rule is do not click a link from anything pertaining to be ebay. Ebay will never ask you to link to their site via an email, any more than a bank would.

Make your password complicated and unique.
Posted on: 14 January 2005 by garyi
To confirm try changing your password, if you can't then someone has changed it for you.
Posted on: 14 January 2005 by BrianD
Gary

I've changed my EBay email address, login and password and also my PayPal password. The Ebay password was formed from the first part of two words, it is now mumbo jumbo. The PayPal password was always mumbo jumbo but is now even more so.

I've ran a spybot check which found nowt and also ran a virus scan using Zone Alarm which also found nowt. How can I check if there is a keyboard logger or something on my system?

Cheers

Brian
Posted on: 14 January 2005 by Mick P
Brian

For a good answer, log onto to this

http://forums.techguy.org/

Then go to the security section and ask away.

You will get a good answer within an hour.

Good luck

Mick
Posted on: 14 January 2005 by Paul Hutchings
Brian,

If you've ran spybot and an antivirus sweep both with the latest pattern files, and you use Zonealarm then all things being equal I wouldn't worry about things like keyloggers.

Rule #1 is that companies like ebay/paypal/banks will never ask you to confirm details via email.

The arseholes who perpetrate thse scams do a really good job most of the time and the only way you can tell it's a fake is to look at the email source code, or the email headers.

If you get an email like this and you believe it is a genuine request to change your details, don't use the link in the email, manually go to the homepage of the site in question and do it from there, that way you know you're using the legitimate site.

cheers,
Paul
Posted on: 14 January 2005 by NaimDropper
This discussion inspired me to change my passwords to an even more difficult-to-crack version.
Thanks, Chaps!
David
Posted on: 16 January 2005 by BrianD
Thanks for the replies.

Here's an update.

I've now had no less than 12 e-mails over the last 2 days from 'eBay'. Some will be genuine, I think I know which are not.

Because I've sent 4 reports to eBay at each stage of this to describe what has been happening with my account, I believe there is now more than one person dealing with this at eBay. Having changed all of my details and accessed my account again, my account has now been suspended pending further investigations by eBay into what has happened. I don't know if this is a further issue, or as I say, is someone else responding to the initial reports but after it's been sorted out. I've got no problem with this anyway though, I'll wait and see what happens, but I'm at the point where I'm not bothered whether I use eBay again. A shame, since it's not their fault.

My passwords were all pretty bad, I was using a word formed from the children's names, Frown although my PayPal password was always mumbo jumbo. Smile

But now, although this isn't an actual password, I'm using different passwords for everything and they go along the lines of ...

sdj8fl+*£kt3

I'm going to change my passwords every month from now on.

I've even changed my initial password used to login to the internet. I did this with a telephone call to Freeserve. It is also now mumbo jumbo and very long.

What I'd give to know the individual coward who has done this.
Posted on: 16 January 2005 by Paul Hutchings
Brian,

For what it's worth, once you know what to look for it's pretty simple to work out which ones are genuine and which aren't.

In Outlook Express, you can do a couple of things.

One is to right-click in the message body and select "View Source" (or words to that effect). Usually where the supposed link to Ebay appears, you'll see that in the raw code there is a link to some dodgy website somewhere with coding next to it that makes it look in the message as if it's the Ebay site.

The other way is to look at the message headers to see the route the message has taken.

You get to this from File/Properties, then the Details/Message Source options.

You'll see the raw text of the whole message, including the headers that get added by mailservers as it gets sent to you, e.g:

Return-Path: <clutter@sprote.com>
Delivered-To: spamcop-net-paul@spamcop.net
Received: (qmail 16884 invoked from network); 5 Jan 2005 05:35:49 -0000
Received: from unknown (192.168.1.103)
by blade5.cesmail.net with QMQP; 5 Jan 2005 05:35:49 -0000
Received: from ylpvm43-ext.prodigy.net (HELO ylpvm43.prodigy.net) (207.115.57.74)
by mailgate2.cesmail.net with SMTP; 5 Jan 2005 05:35:49 -0000
Received: from [10.0.1.66] (adsl-216-103-84-70.dsl.snfc21.pacbell.net [216.103.84.70])
by ylpvm43.prodigy.net (8.12.10 outbound/8.12.10) with ESMTP id j055Zvtv022491
for <paul@spamcop.net>; Wed, 5 Jan 2005 00:35:58 -0500
Mime-Version: 1.0 (Apple Message framework v688)
In-Reply-To: <20050103135111.z7rcen9c4wg0wc04@webmail.spamcop.net>
References: <732DBED2-5915-11D9-B202-000D93C8BF6C@spamcop.net> <36BD33B8-056D-405B-86C5-A7B339314C00@sprote.com> <20050103135111.z7rcen9c4wg0wc04@webmail.spamcop.net>
Content-Type: text/plain; charset=US-ASCII; format=flowed
Message-Id: <90A77956-1F20-434C-8E1B-A42592F2EF70@sprote.com>
Content-Transfer-Encoding: 7bit
From: "Sprote Rsrch." <clutter@sprote.com>
Subject: Re: Clutter and sleep
Date: Tue, 4 Jan 2005 21:35:43 -0800
To: Paul Hutchings <paul@spamcop.net>
X-Mailer: Apple Mail (2.688)
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on blade5
X-Spam-Level:
X-Spam-Status: hits=0.0 tests=none version=3.0.0
X-SpamCop-Checked: 192.168.1.103 207.115.57.74 10.0.1.66 216.103.84.70

Probably looks like a nightmare, but if you start with the last received line and work up the message headers, you'll see the route the message took.

If you look at a few legitimate messages from people you know, you'll soon spot that if they have a @hotmail.com address the headers will mention hotmail.com almost all the way until the top where the email reaches your ISP.

If you look at all the ebay spoof emails, you'll see that they almost always will have been sent by hijacked home machines and dialup internet accounts, e.g:

Received: from host237-200.pool80116.interbusiness.it (80.116.200.237)
by mailgate.cesmail.net with SMTP; 15 Jan 2005 15:50:50 -0000

Shows that this email was sent to me from a dialup or ADSL machine in Italy, so if it claimed to be from Ebay I'd know that it really wasn't.

It's worth learning how to decipher these things, hope that's of some help to someone.

cheers,
Paul
Posted on: 16 January 2005 by BrianD
Paul

Thanks for that explanation. I can see it's not that too difficult to follow, so the info you've offered will be useful for me. I've printed it and will keep it for reference.

Thanks a lot

Brian