Saturday, June 03, 2006

Second Chance eBay Scams (Part I)

The Con

Online scammers operate in many ways. All of them are designed to get at your personal and account information so they can steal from you. Sometimes, they take this information by force, through viruses or spyware. Other times, they expect you to just gladly hand it over! One setting where you're likely to do that is with big ticket items from eBay that seem too good to pass up.

I had been watching a dozen Kawasaki KLR250 motorcycle auctions on eBay over a couple of weeks. One in particular looked like a good deal. Nice pictures and lots of accessories. The seller had 405 feedback ratings, 100% positive.

If you're expecting a description of how this auction was a sham or this seller was trying to cheat, that's not what the story is about. This was a perfectly legitimate auction, with a fine seller with a fine reputation. This story is about what happens after the legitimate auction closes, and everyone thinks it's over.

It's about scammers trolling ended eBay auctions, and sending each non-winning bidder a fake "Second Chance" to buy the item. All the while trying to misdirect you into thinking that they are the seller who's feedback you checked out during the auction. This story is about how you can put the pieces together and figure it out, without being a network genius, and without losing a few thousand dollars.

The Offer

I bid on this bike day before it closed, so my eBay ID was harvested from the item's bidding history page. Before the auction closed, 5 different people outbid me. In this scam, all of us except the seller and high bidder are the marks.

Six days after the auction ended, I get a "Second Chance" email offering to sell me the item at my last bid amount. In the excitement of being offered a sweet bike for just a fraction of its value, I almost didn't notice that this email was a forgery. The scam that I'm about to introduce you to involves someone - not the real seller - who sends fake "Second Chance" offers to all the non-winning bidders after the auction closes. The object of the scam is to collect a whole crop of bids by Western Union or wire transfer, and then disappear.

It begins with your receiving what looks like a "Second Chance" email for an item you recently bid on but didn't win. This fake offer is not from the real seller. The real seller doesn't know anything about it. In fact, this particular scam would be over right now if you just asked the real seller whether he/she really sent you a Second Chance offer. You can do that easily, by going back to the eBay website, pulling up the item, and clicking "Contact Seller."

But just for exercise, let's go through all the motions of the scam. All except the last one, where criminals get your money.

The Email

The fake offer arrives through eBay's official Message System, and you'll find it in "My eBay" under "My Messages." This might lull you into reduced vigilance for the rest of the scam, since new SPF / Domainkey anti-spoofing mechanisms (if your mailserver supports them and you look at them) will verify that the message did originate at eBay, plus eBay is always touting how all the legitimate stuff will always be in "My Messages."

The sender of your "Second Chance" is a thief who uses an actual eBay account to send this spoofed offer through the eBay message system. His eBay registration will use the same email address where he wants you to reply to the scam. Otherwise he would have to convince you to reply to an address other than the one automatically generated by the eBay message system, and that would be too suspicious. The email address he uses will be a throwaway, anonymous address easily obtained at Hotmail, Yahoo or similar*.
*All it would take to shine the light of day on the scam at this point would be if eBay's Search Items by Seller form would accept a registered eBay user's email address as an alternative to searching by user ID. The Find a Member page works with both, and so should "Find Items by Seller." If it worked that way, you could easily search for auctions by seller using the email address given to you in the "offer," (where the con-man needs you to reply), and the result would show that the person issuing this "offer" is not the seller of the auction where you were bidding.

Suggested to eBay June 3, 2006, 13:07pm

Since eBay doesn't display the seller's email address until you win an auction, it's not immediately obvious that the person you're talking to is not the seller from the auction. But this fake "Second Chance" email has a link to the auction that you bid in, and the key misdirection of the whole con is perfected when you assume that bike you wanted has any relationship at all to the person sending you this email. It doesn't.

Even if you don't have a "known good" Second Chance offer to compare this one to, there are many ways to spot these fakes and eBay discusses them in its official publications. Real "Second Chance" emails that truly come from eBay will also appear in the "My Messages" section of your eBay account, with the exact subject line, "eBay Second Chance Offer for Item..." When you receive one by email, the mail headers will have a "Return-Path" of "" and a trail showing the message originating on eBay's internet address space.

Legitimate Second Chance Headers

X-Gmail-Received: 9110f2803e9cadb7f2bde3d086718b780d839891
Received: by with SMTP id c2cs613637wxa;
Sun, 21 May 2006 02:00:44 -0700 (PDT)
Received: by with SMTP id t13mr2998052pyk;
Sun, 21 May 2006 02:00:44 -0700 (PDT)
Return-Path: <>
Received: from ( [])
by with ESMTP id k62si633282pyk.2006.;
Sun, 21 May 2006 02:00:44 -0700 (PDT)
Received-SPF: pass ( domain of designates as permitted sender)
DomainKey-Status: good (test mode)
Received: from sj-wsyi221 ( [])
by (8.13.5/8.13.5) with ESMTP id k4L90hW6009393
for <ME@MY_EMAIL_ADDRESS>; Sun, 21 May 2006 02:00:43 -0700
DomainKey-Signature: a=rsa-sha1; s=dk;; c=nofws; q=dns;
Date: Sun, 21 May 2006 02:00:43 -0700
Message-ID: <1806957536.1148202043441.JavaMail.ebayapp@sj-wsyi221>
From: eBay

Subject: eBay Second Chance Offer for Item #9730021438: Palm Treo 700w/Treo 700 Verizon Like New, Barely Use
Mime-Version: 1.0
Content-Type: multipart/alternative;
X-eBay-MailTracker: 10039.461.0.64355
Content-Type: text/plain;charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

eBay sent this message to MY_REAL_NAME (MY_EBAY_ID).=20
Your registered name is included to show this message originated from eBay.=
Learn more:

When tracing a message's path through the internet with mail headers, disregard the first few lines listing traffic on networks whose IPs begin with 10., or 192.168., or 172.16-31, or 169.254. Addresses in that space are known as "private class" networks. They are not routable over the internet and only explain the mail bouncing around a private network either before or after travelling across the internet.

As in the above headers, when a mail actually originates at eBay, the first publicly routable IP address in the mail header will belong to eBay. When verifying this, don't just take the "resolved" domain name in the header for granted. Actually do an nslookup on the IP to make sure it resolves back to something under

If the Return-Path in the headers is "" AND the 1st public class network listed in the mail headers belongs to eBay, then there's a pretty good chance this is a legitimate email. Mind you, a fraudulent message (like the one I received) can also be sent through the eBay message system, but those will contain a different Return-Path header of ""

Please don't bank on Return-Path or other header information, though. If in doubt, just forward the message along with the original headers to They'll reply within an hour and tell you whether the message is forged or not. (Make sure you don't fall for any spoofed confirmations of legitimacy!) Still, even without looking at headers, there are many other clues to alert you. Read on.

Evaluating Authenticity

When you receive an officially sanctioned message, eBay will use your real name at the beginning of the message, "eBay sent this message to YOUR_REAL_NAME (your_ebay_id)." They know your name because you gave it to them when you signed up. A scammer is not going to know your real name at this stage of the scheme, hence, it is not included in your shiny fake Second Chance email.

Real eBay messages also contain warnings and URLs with information to help you avoid falling for spoof emails. Forged ones usually don't. Real ones offer you a link to "Buy it Now" that will take you back to the eBay website where you buy the item through PayPal or another standard/somewhat-safe method. Fake ones ask you to buy by "replying" to email and eventually broach the topic of Western Union and wire transfers.

Real ones will have no errors in the message body. The fake one I got had an extra space between a period and the end of a sentence:

"buy this item or contact seller at ."

Even without any of the above indicators, we still have plenty more carelessness, errors and inconsistencies warning us this deal is a fraud. All my correspondence from this "Frank Vorus" were lousy with them.

Comparing Samples

First, I noticed that the name he used in email to me (Frank Vorus) bore no relation at all to the seller's user ID on eBay. Although a little "off," by itself, not terribly significant. But these criminals are not very bright, and they leave a lot more clues. Take his first personalized message to me:

"I am glad that you are still interested to purchase my item. As is described on the auction the item is full operational and in proper woeking [sic] conditions."

Notice the stilted broken English. That's nothing by itself either, until the writing sample above is compared with the writing style of the original item description, written by the real seller. The real seller's writing wasn't perfect, but he was clearly a native English speaker. I also compared writing samples from the several emails I received from "Frank" with the 375 feedback messages that the real seller on eBay had "Left for Others."


"despite repeated emails-no reply-no payment-never contacted me-LOSER"

"Very fast. Item was in perfect shape. Wonderful transaction"

"neat little item-perfect for me-fast shipping!!! great ebayer"

"Got the item right away-it's neat"

"quick shipping even from Ausieland-nice guy to do business with"

The feedback / item description were definitely NOT written by the same person now sending me emails. Maybe if Frank went to an American high school and had some practice handing in copied homework, he could have pulled this off.

Frank also kept talking about how he would ship the bike. The scam could get messy if I came to pick it up and pay in person:

"You want to pick it up, but first off [sic] all i need to see the payment details, as eBay instructed us. Once i have the payment details i will deliver the bike to your home address."

Those statements are in direct contradiction with the original item description written by the real seller:


The Bait

Criminals often offer gratuitous excuses that ultimately give them away. Happens all the time on COPS™. Here's a good example:

"I asked eBay to send you a Second Chance Offer becuase [sic] the winner had some personal problems with the money and couldn't handle the situation at this time."

That's very understanding of him. A little more information than one would expect.

"If you are still interested to purchase the item is still available for sale and you have the opportunity to purchase this item at your last bid price."

Aside from the broken English inconsistent with the real seller's writing style, my last bid price was only 2/3 of the winning bid. This bike could easily sell for more than the winning bid if it was relisted. Why would it be offered to me at this price? Four other people bid more than I did, in amounts much closer to the winning bid. Wouldn't one of them have jumped at this already? That's the part that is supposed to hook you, preying on the victim's own greed, a deal so good, you can't resist.

Of course, the scam would be over right now if I just asked the winning bidder whether he bought the item, or whether he backed out because there was something wrong with the seller or the item. You can do that by going back to eBay, pulling up the auction, clicking the user ID of the winning bidder, and then clicking "Contact Member."

Building Trust

In Frank's second mail, he also asks me for some basic information - name, address and eBay ID, claiming to need it in order to start an "official eBay transaction." It made no sense to me, but all the information seemed harmless enough. In retrospect, this might have been an attempt to get enough information to break into MY eBay account. Many people use their address or zip code as a password. Another possibility is that he just wanted to list my address as the "Shipping Address" on his upcoming forged invoice to make me feel more comfortable about paying.

Speaking of paying, he closes with:

"You'll also receive important guidelines + instructions from eBay regarding our transaction (please go through them exactly). I'll handle the shipping, so this will be free of charge for you ."

Another telltale mistaken space between the period and end of sentence, indicating that the author of this message is also the author of the earlier one that was supposed to have come from eBay. More good deals to motivate me (free shipping for a 250lb motorcycle?!) and buttering me up to follow "exactly" instructions in the forged email that he'll send to me in a few minutes. Too bad his shipping promises contradict both the item description and my email to him explaining that I'd only buy the bike in person.

Later, he sends another email to shepherd me to the fleecing:

"i [sic] have requested that the details of the transaction to be verified and if everything will be ok then the transaction will be guaranteed. Once guaranteed by ebay, the transaction will be safe for both of us. Please wait for ebay's confirmation that the transaction is ok and please read carefully all the instructions that ebay will send to you. It's very important that we follow the instructions."

Yes, very important we follow the instructions. We don't want our mark accidentally sending money to the wrong thief!

Deconstructing the Payoff

One minute later, a forged email dressed to look like it came from eBay arrives, with the subject:

"You must send payment of US $2,200.00 shortly for your Item"

"Shortly for my item?" EBay copy doesn't sound like that. Return-Path in the mail headers lists "" A WHOIS on the domain "" shows it hosted and registered by 1-and-1 webhosting in Germany. That's what happens when a webhost gives away 3 free years of web hosting plus a free domain name. The first internet routable IP network in the mail headers is out of Canada, confirmed with reverse nslookup. Headers also show this guy used the burnt-tech webmail program to send this while online himself from an America Online IP address.

Forged Mail Headers, not from eBay:

X-Gmail-Received: 2bb2b2f0ee468534d60ec4a806ba172f2f9e2dae
Received: by with SMTP id e11cs34834wxe;
Fri, 2 Jun 2006 08:56:54 -0700 (PDT)
Received: by with SMTP id r16mr2041853wrb;
Fri, 02 Jun 2006 08:56:54 -0700 (PDT)
Return-Path: <>
Received: from ( [])
by with SMTP id 7si1587200wrh.2006.;
Fri, 02 Jun 2006 08:56:54 -0700 (PDT)
Received-SPF: neutral ( is neither permitted nor denied by best guess record for domain of
Received: (qmail 10171 invoked from network); 2 Jun 2006 15:56:50 -0000
Received: from unknown (HELO burntmail) (
by localhost with SMTP; 2 Jun 2006 15:56:50 -0000
Received: from (unverified [])
by burntmail (VisualMail 4.0)
with WEBMAIL id 10169;
Fri, 02 Jun 2006 15:56:50 +0000
From: "eBay"
Importance: Normal
Sensitivity: Normal
X-Mailer: Mintersoft VisualMail, Build 4.0.111601
X-Originating-IP: []
Date: Fri, 02 Jun 2006 15:56:50 +0000
Organization: m
Subject: You must send payment of US $2,200.00 shortly for your Item #4641831009
MIME-Version: 1.0
Content-Type: multipart/alternative;

Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Second Chance Offer - Buy The Item You Recently Bid On


Tracking the Perp

The mail headers tell me that the IP address of the computer the perpetrator is using is Nslookup tells me that's an AOL (formerly America Online) IP. But I can also compare the geographic location of his IP with the geographic location of the auction as listed on eBay. When I entered the thief's IP address in GeoIP Lookup, it told me that his approximate physical location was somewhere in Germany. A few other GeoIP lookup services estimated Kansas, Florida and Maryland.

Because of the varying results and inherent inaccuraccy of geographically mapping virtual IP space, I corroborated his location using a different method, traceroute. According to tracking done by Visual Trace, the trail toward his IP leads to Frankfurt, Germany before getting lost behind a firewall.

Either way, the person writing me is likely nowhere close to Tehachapi, California where the shiny red motorcycle is supposed to be. By contrast, GeoIP lookup on the real seller's IP address (taken from headers of email communication I had with him) resolves to the location listed in the auction - Tehachapi, CA.

AOL keeps records of all it's users' logins and the IP addresses assigned to each user during the login period. Since these mail headers have both the perpetrator's AOL IP address and exact timestamps, it would be easy for AOL to come up with the identity of criminals based on their service billing records, and provide this to law enforcement. The problem is that most police don't understand how to investigate and prosecute this kind of computer fraud. Local police would rather refer you to the FBI and the FBI can only be bothered with big, important cases with high dollar amounts. As a result, these kind of criminals are free to attempt their crime as many times as they need to, until they succeed. Consider how that would be if police treated attempted bank robberies the same way.

Recognizing Trouble

The purpose of the final forgery is to persuade me to transfer a couple thousand dollars by Western Union -- a payment method the real eBay specifically warns its customers NOT to use in almost every piece of correspondence they send.

The fraudulent message uses comforting words like "insured", "verified," "protection," "refund," and "in association with eBay Inc." to coax me into compliance. I am supposed to "Pay for the transfer with cash at a local Western Union agent."

And, in case I was wavering, wondering whether or not I should send the money, the scammer targets your desire to get something for nothing -- 50% discount on the wire transfer fee!

"Because the fee to send a Western Union Money Transfer is high, compared to other methods of payment, we have arranged with the seller to compensate for half of this fee (i.e. if it costs you $100.00 to send the payment, take $50.00 from the amount insured and send the balance)."

So many elements of a confidence game manipulate the greed or dishonesty of the victim. So remember the old saying, "You can't cheat an honest man."

Closing the Deal

I write him back to tell him that if I am going to buy anything, it will be in person and only after checking out the quality of the merchandise first. I ask him for his phone number, address, real contact points where even clueless police might be able to pick him up. He doesn't go for it. Instead, he appeals to me to just do "as eBay instructed us," invoking their higher authority. It's a tactic con-men use to exploit the comfort most people take in following rules and doing what they're told.

Before closing this case, I warned the other non-winning bidders of this auction and, even though it's nigh impossible to file a security incident report, I reported the situation to eBay. But eBay is busy, and they are not looking into it.

In fact, 6 days after I emailed multiple detailed complaints to eBay (each one answered by just more dull, canned text by CSRs with different first names), explaining how this person was using an actual eBay account to victimize other users by relaying spoofed messages through the official eBay message system, and despite feel-good assurances by eBay representatives like "Ide,"

"I have reviewed your report and have taken appropriate action in accordance with our policies. Such action may include issuing a warning, a temporary suspension, an indefinite suspension or terminating the membership. Out of concern for our members' privacy, we don't discuss the specifics of the actions we take in these situations."

eBay's Member Search page shows that the perpetrator still has his valid eBay account:

"The email address is used by a valid eBay member with a feedback score of 0 (0% positive). For privacy purposes, it is eBay's policy that User IDs are not revealed to members who are not involved in current or recent transactions with each other."

While I am stuck in a feedback loop with eBay's robot employees, this con-artist keeps his eBay account, and no organized countermeasures are mustered against him. He has been free to run the same scam hundreds more times since my first report to eBay's security group.

If this particular thief ultimately succeeds in stealing someone's money, a good lawyer could make a great case that eBay is negligent for failing to revoke the fraudulent account after having notice of it, and that eBay should be held liable for the damage.


These crooks will always be able to vary slightly from the outline presented here, but they will always make mistakes that give themselves away. They're not that smart. If they were, they wouldn't have to be criminals.

For the volume of confidence scams connected to eBay, the ironic slogan, "bid with confidence" is certainly appropriate.