Online Scams

Web Spoofing

Web spoofing is a new kind of digital con game in which attackers create a convincing but false copy of a Web site you know and trust. The spoofed site looks just like the real one; it has the same pages, graphics, and links. However, the attacker controls the site, so that all traffic between the victim's browser and the Web goes through the spoofer's computer. A spoofing attack sets up the victim to do something that would be entirely appropriate if the false world were real, such as entering his or her user name and password.

eBay and a cross-section of its 55 million users were targets of a convincing Web spoof in December 2002. The perpetrators reportedly set up a fake eBay that mimicked the auction site right down to its artwork, color scheme, and logos. The scammers somehow acquired a number of eBay users' e-mail addresses, and then sent an authentic -looking message requesting that the recipients log on to a secure hyperlink (www.ebayupdates.com) and re-enter financial data such as their credit card numbers and bank account numbers .

 ----Original Message----      From: eBay Billing      Sent: Thursday, Dec. 3, 2002 11:23 PM      To: eBayUserX@ISP.com      Subject: Billing Error      Dear eBay Member,      We at eBay are sorry to inform you that we are having problems with      the billing information of your account. Please use the following      link to log on to eBay and update your account information. 

eBay quickly got wind of the scheme and had the fake auction site shut down. But by that point, countless users had been stung and the damage was already done. Unfortunately, some people are more gullible than others are!

This was not the first instance of identity theft perpetrated on a spoof eBay site. It must be noted, however, that eBay bears no responsibility for this kind of hoax. The best it can do is sound a clarion call that scams are part of the auction game and instruct its members on how to avoid them. eBay has always gone the extra mile in that regard.

Auction fraud accounts for 46 percent of all online complaints. Following is a recap that I found on the Security Center of PayPal (http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/security-main-outside), which is now owned by eBay. Investing an hour of your time to learn the ground rules before you conduct business on the Internet could save you a lot of grief ! The same rules that apply to online auctions generally conform to all Internet commerce.

Figure 13.10: The PayPal Security Center

Online auction security tips:

• Know your seller. (Check the seller's feedback.)

• Compare listings. (Be suspicious of hard-to-find items offered at low prices.)

• Don't sacrifice caution for an impulse buy.

• Use extra caution with high-demand items.

• Ask before you buy.

• Be wary of items with delayed shipment.

• Do not buy items "out of auction" (the Jason Eric Smith rule).

• If it sounds too good to be true, it probably is.

• Never share your password with anyone .

• Don't use the same password for other online services, such as AOL, MSN, or Yahoo!

• Never access a Web site by clicking on an e-mail hyperlink.

• Use a secure SSL connection.

Online auction warning signs:

• Seller has large quantities of hard-to-find items.

• Seller buys low-dollar items to improve his or her feedback rating, and then lists high-ticket items to rip off bidders.

• Seller lists multiple items with the same picture.

• The expected delivery date is more than 20 days after payment.

Fraud prevention tips for sellers:

• Ship to the buyer's confirmed address.

• Use a shipping service with online tracking.

• Check out the buyer's feedback rating and reputation.

• Accept payment from only one PayPal account per buyer.

• Limit credit card payments.

• Be wary of buyers who are not concerned with costs.

• Conduct more research on buyers of high-value items.

• Be extra cautious with non-U.S. payments.

I'm obviously a big fan of online auctions (and eBay in particular), which is why I wrote Confessions of an Internet Auction Junkie a few years ago. But even if 99 percent of eBay's transactions go through without a hitch, as the company claims, that still leaves hundreds of thousands of complaints each year, a majority of which involve fraud. It's incumbent on eBay to make its site as secure as possible. Unfortunately, I occasionally encounter security holes and lapses on eBay's part.

Figure 13.11: eBay non-secure seller sign-in

For the life of me, I don't understand how in this day and age eBay can have a non-secure log-on page by default. But it does! When you click Sell on eBay, you're directed to a non-SSL sign-in page where you're prompted to enter your user name and password. Directly below, eBay provides a link to a secure sign-in page. So why not provide SSL sign-in by default? I find security lapses like this all over the Internet. No site, large or small, is above security blunders.

Dot-Cons

Con artists have gone high-tech! Whether they're using the excitement of an Internet auction, applying new technology to peddle traditional business scams, using e-mail to reach vast numbers of people with false promises, or hijacking consumers' modems and cramming hefty long-distance charges onto their phone bills, scam artists are just a click away. Fortunately, law enforcement is on the case. Using complaints to Consumer Sentinel, a fraud database, as their guide, the FTC has identified the top-ten dot-cons facing consumers on the Web. The following information was gleaned from the Web site of the FTC at http://www.ftc.gov/bcp/conline/edcams/dotcon/.

1. Internet auctions. After sending their money, consumers receive an item that is less valuable than promised ”or worse , they don't receive anything at all.

2. Long-distance and Internet access services. Simply by cashing a check, consumers have been trapped into long- term contracts for Internet access or long-distance services with big penalties for cancellation or early termination. If a check arrives at your home or business, read both sides carefully and look inside the envelope to find the conditions you're agreeing to if you cash the check.

3. Porn site credit card scam. The lure is to view adult images online for free, but you must provide a credit card number to prove the user is over 18. The porn site then runs up big charges on the victim's credit card, and the victim is too embarrassed to dispute them. You should always dispute unauthorized charges on your credit card bill by complaining to the bank that issued the card. Federal law limits your liability to $50 in charges if your card is misused.

4. International modem dialing. This scam promises users free access to adult material and pornography by downloading a viewer or dialer program. The dialing program then disconnects the modem and reconnects to the Internet using an international long-distance number. Victims are then billed exorbitant long-distance charges on their phone bills.

5. Web cramming. Charges for a supposedly free custom-designed Web site or other service are billed to the victim's phone bill.

6. Multilevel marketing plans ( pyramids ). The idea of a making money through products you sell, as well as those sold by people you recruit into the program, backfires when the products don't sell and people decline to be recruited. Avoid plans that require you to recruit distributors , buy expensive inventory, or commit to a minimum sales volume.

7. Travel and vacation. The promise of a luxurious trip with lots of extras at a bargain- basement price is destroyed when the tourist receives lousy accommodations or no trip at all. Get references for any travel company with whom you plan to do business. Then get details of the trip in writing, including the cancellation policy, before you sign up for anything.

8. Business opportunities. Taken in by promises of excellent earnings, many consumers have invested in biz ops that turned out to be biz flops! Talk to other people who started businesses through the same company, get all the promises in writing, and study the proposed contract carefully before signing.

9. Investments. In this scam, the promise of huge returns after investment in a day-trading system or a service that claims to be able to predict the market with 100 percent accuracy backfires and the victim loses money. Be wary of extravagant claims about performance or earning potential.

10. Healthcare products. The promise that items not sold through traditional suppliers are proven to cure serious and even fatal health problems can delay seriously ill people from getting the health care they need. Consult a healthcare professional before buying any cure-all that claims to treat a wide range of ailments or offers quick cures and easy solutions to serious illnesses.