Monday, July 03, 2006

eBay Scams Use Good English, Too

One of the comments to my original article said messages from people speaking poor English should be assumed to be a fraud, and that spotting fraud is basically as simple as that.

While that strategy will help one avoid some fraud, it does not permit one to enter a legitimate transaction with non-native English speakers. It also does not protect against attacks that come using good English, like this one:
X-Gmail-Received: 8bc0668f763bd8b5b375a143b754ccbca132c47e
Delivered-To: [my_email_address]
Received: by with SMTP id g8cs39451wre;
Mon, 19 Jun 2006 16:32:19 -0700 (PDT)
Received: by with SMTP id c9mr8941412pyk;
Mon, 19 Jun 2006 16:32:19 -0700 (PDT)
Return-Path: <>
Received: from ( [])
by with ESMTP id w63si924779pyw.2006.;
Mon, 19 Jun 2006 16:32:19 -0700 (PDT)
Received-SPF: neutral ( is neither permitted nor denied by domain of
Received: from ( [])
by (8.13.5/8.13.5) with ESMTP id k5JNWI9B022604
for <[my_email_address]>; Mon, 19 Jun 2006 16:32:18 -0700
Received: from localhost.localdomain (localhost.localdomain [])
by (8.11.6/8.11.6) with ESMTP id k5JNWIB11820
for <[my_email_address]>; Mon, 19 Jun 2006 16:32:18 -0700
Message-Id: <>
Content-Disposition: inline
Content-Transfer-Encoding: base64
Content-Type: text/plain; charset="ISO-8859-1"
MIME-Version: 1.0
X-Mailer: MIME::Lite 3.01 (F2.72; A1.60; B2.20; Q2.20)
Date: Mon, 19 Jun 2006 23:32:18 UT
To: [my_email_address]
Subject: =?ISO-8859-1?B?ZUJheSBTZWNvbmQgQ2hh?=
X-Mailer: Rest Of World Mailer=ROW::EMail


As the first article discussed, the Return-Path is wrong for a legitimate Second Chance offer.

The square block of gibberish text is the message payload, base64 encoded. The encoding is probably intended to foil email providers' spam and malicious mail filtering. If so, it's a weak attack since any good mail filter will be capable of base64 decoding and examining the content. In any case, the real eBay does not base64 encode messages, so this is clearly a fake.

The above decodes to the following text in the email client:

Dear [ebay_username],

You expressed interest in an item titled 2006 Kawasaki : KLX KLX 250S - Item Number 4650332800 by bidding, however the auction has ended with another member as the high bidder. In compliance with eBay policy, the seller is making this Second Chance Offer to you at your bid price of US $1,800.00 . The seller has issued this Second Chance Offer because he has duplicate items for sale or the winning bidder was unable to complete the transaction. If you accept this offer, you will be able to exchange Feedback with the seller and will be eligible for eBay services associated with a transaction, such as fraud protection.


This request is related to item # 4650332800.


Marketplace Safety Tips

Never respond to an unsolicited email that includes incentives to buy or sell an item off the eBay Marketplace. If you get such an email, please report it to eBay at

Never pay for your eBay item through instant cash transfer services such as Western Union or MoneyGram - such services offer Internet shoppers no protection against fraud.


Note: Immediately contact Rules & Safety if one of eBay's rules were violated, such as:

- Your contact information was used for purposes unrelated to eBay business, published online or offline, or was used for the purposes of harassment.

- You received contact information that you believe to be erroneous.

Thank you for using eBay!

Aside from the bad mail headers, additional problems with the content of the offer give it away as a fake. In order of highlighted material above:

  1. The thief did not know my real name, as eBay would if this were a real offer.
  2. A mistaken space between the price and period at the end of a sentence, and the pound sign and item number.
  3. Reference to which is the eBay domain for the Phillipines. I don't shop there.

I write back, agreeing to pay. The thief replies using a Yahoo mail account from an AOL IP address that, combined with the timestamps in the mail headers and a subpoena for billing records, law enforcement could use to track down an actual person.

There is no foreign accent in this message, so you cannot rely on broken English alone to alert you to bad deals.


This is John Mitchell, owner of the bike, writing you my terms of sale in order to complete our deal.

The winner of the auction was unable to follow through with the purchase so I decided to use eBay's Second Chance Offer service to contact the other bidders. You are the first one to answer and the selling price will be your highest bid placed on my listing. This will also include the shipping charges to your address. Yes, I will take care of delivery as I have a cousin which owns a shipping company and he will gladly do me this favor.

The bike is in excellent working condition and with clear title. You will receive all the necessary papers to get the bike registered into your name. You have my word that you won't be dissapointed [sic] in this unit.

As for payment, I would like to let eBay handle the transaction, as I am currently out of the country on the Carribean Islands. I am a scenic photographer and I am working for a new project here. So eBay will be the best solution for the both of us. I need your full name and address and also your eBay user id to start the process with them. They will then email you an electronic invoice for your purchase along with the payment instructions.

I will be waiting for your reply in order to conclude this deal as smooth as possible.
Thank you very much for your time.

Best regards,

John Mitchell

Scenic Photographer

  1. Offering you free shipping preys upon the victim's desire to get something for nothing. It also keeps the price set at the amount the victim was last willing to pay. The thief does not want the victim to back out over shipping charges! Of course, if you go back and look at the auction this fraud is referring to, the real seller explicitly states:
    winning bidder pays all shipping charges!

  2. The thief's general promise that all "necessary papers" will be included tends to show that the thief does not know what the necessary papers are, and is therefore, not the real seller. Different states have different titling requirements. A real seller would say, "this comes with a bill of sale because my state doesn't require titles," or, "the title has already been notarized," something more specific, demonstrating knowledge that a legitimate seller would know.

  3. The claim of being a "scenic photographer" is just misdirection and an attempt to lull the victim into a false sense of security. The fact that the thief's signature at the end of the email includes a job title, but no phone contact information shows again that this is a fraud. Anyone with a "signature" that lists a job title will also list a phone number. Besides, if you're about to spend a few thousand dollars, a real seller would give you his phone number to make sure the sale is completed. Thieves won't because they need to hide in the shadows of the internet.

  4. The reason the thief wants your full name and address is because he wants to dummy up a fake shipping Bill of Lading to make you feel like you are actually going to get the merchandise. The reason he wants your eBay user ID is because he needs to generate a fake invoice from eBay that wouldn't look authentic without referring to your eBay user ID, and at this point, the thief doesn't have that because he doesn't know which victim you are.

    He sent many fake offers to multiple victims through eBay's "Contact Member" feature, which only reveals your user ID to him, and not your email address. When you reply to the first fake offer, the thief has your email email address, but no clue which eBay user ID it is associated with. Of course, if he only sent one fake offer and received an answer, he'd know the eBay user ID, but these thieves don't work that slowly. This fraud is taking place on a massive scale.

I reply to this message, providing a fictitious name, address and eBay ID. I confirm my last bid amount, intentionally supplying the wrong amount. His reply, by Yahoo Mail from another AOL IP address:

you will receive the payment instructions from eBay first thing tomorrow morning.
please get back to me as soon as you hear from them.
Thank you.

As promised, the next morning, I receive this forgery:

X-Gmail-Received: 61bfa50c689e879991fa8974e1c9b24bd9771fcc
Delivered-To: [my_email_address]
Received: by with SMTP id g8cs1138wre;
Thu, 22 Jun 2006 06:53:33 -0700 (PDT)
Received: by with SMTP id v36mr2024819nzi;
Thu, 22 Jun 2006 06:53:33 -0700 (PDT)
Return-Path: <>
Received: from ( [])
by with ESMTP id 40si955960nzf.2006.;
Thu, 22 Jun 2006 06:53:33 -0700 (PDT)
Received-SPF: softfail ( domain of transitioning does not designate as permitted sender)
Received: from ( [])
(using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))
(No client certificate requested)
by (Postfix) with ESMTP id 12B26D9057C
for <[my_email_address]>; Thu, 22 Jun 2006 07:53:13 -0600 (MDT)
Received: from ( [])
by (8.12.11/8.12.11) with ESMTP id k5MDu3FS010458;
Thu, 22 Jun 2006 09:56:05 -0400
From: "eBay Escrow Service"
To: [my_email_address]
Subject: Invoice for your eBay item #4650332800
Date: Thu, 22 Jun 2006 09:55:54 -0400
Message-Id: <>
MIME-Version: 1.0
Content-Type: multipart/mixed;

Looking only at the mail headers, the email is clearly a fraud. Although the Return-Path and From fields are nicely forged, the Received headers show that the mail originated from an anonymizing service called

The message portion of this forged email was very sloppy, saying only:

Dear [wrong_ebay_user_id],

Your payment instructions are attached to this message.

Thank you for using our services.

eBay Escrow Team.

The email contained an HTML attachment, which eBay would never send. I viewed it because Gmail will disable any embedded web-bugs and scripting, but normally, you should never open any file attachments unless you asked for them or know what you are doing.

The attached document was an amateurish forgery of an eBay invoice listing the fake Buyer Information that I provided, the wrong price, the thief's false Seller Information, and these instructions:

Please visit your bank and make the payment by wire transfer using the below details of our eBay agent #27:

Account Holder : Joel Rojo
Bank Name : La Salle Bank
Bank address: 68 Stratford Drive, Bloomingdale, IL, 60108
Checking Account #: 5308953453
Bank Routing #: 071000505

Confirm the payment by sending us the bank payment receipt to:
Fax Number (312) 276-8546.

This is a real bank and a real account number (the thief needs to be able to retrieve his money!). In order to open a bank account in the U.S., you need to provide quite a bit of identification. Therefore, it would be relatively easy for law enforcement to capture this criminal by serving a subpoena on the bank for his account records.

Sadly, no law enforcement agencies are interested in pursuing this. I contacted the Illinois Attorney General's Office and got no response. I also talked to an FBI agent on the phone who let me know that his agency could not help unless damages exceeded $100,000.

So again, in a case that was even easier to investigate than the original (the trail in that one led to Germany), no law enforcement agency would take any steps to stop and punish this crime. Meanwhile, the thief continues to try to steal from people (perhaps 10, 50, 500 per day) every day.

Considering that it is well within the thief's ability to contact 100 marks per day using robot harvesters, mass mailing, and other computing power, he could have easily approached over 800 people in the week between the time he contacted me and the writing of this article. If just 2% of victims fall for the scheme (I would bet money the rate is much higher), and the average damage is $2,000 then this thief and others like him can collect (800 * 2% * $2,000) over $30,000 per week -- with no resistance from any law enforcement agency!

In just 4 weeks, this thief can crack the FBI's $100,000 minimum, but because he's stealing smaller amounts from many victims, no single victim will get any help from the FBI, which is probably the only agency technically capable of investigating and prosecuting this kind of crime.

EBay does not pursue reports of this kind of abuse, either. More than a week after I sent them a detailed report about how the person who's eBay user with email address "" was using eBay's "Contact Member" system to perpetrate fraud, that user still has an open eBay account with which to commit these crimes.