Saturday, June 03, 2006

Second Chance eBay Scams (Part I)

The Con

Online scammers operate in many ways. All of them are designed to get at your personal and account information so they can steal from you. Sometimes, they take this information by force, through viruses or spyware. Other times, they expect you to just gladly hand it over! One setting where you're likely to do that is with big ticket items from eBay that seem too good to pass up.



I had been watching a dozen Kawasaki KLR250 motorcycle auctions on eBay over a couple of weeks. One in particular looked like a good deal. Nice pictures and lots of accessories. The seller had 405 feedback ratings, 100% positive.



If you're expecting a description of how this auction was a sham or this seller was trying to cheat, that's not what the story is about. This was a perfectly legitimate auction, with a fine seller with a fine reputation. This story is about what happens after the legitimate auction closes, and everyone thinks it's over.



It's about scammers trolling ended eBay auctions, and sending each non-winning bidder a fake "Second Chance" to buy the item. All the while trying to misdirect you into thinking that they are the seller who's feedback you checked out during the auction. This story is about how you can put the pieces together and figure it out, without being a network genius, and without losing a few thousand dollars.



The Offer

I bid on this bike day before it closed, so my eBay ID was harvested from the item's bidding history page. Before the auction closed, 5 different people outbid me. In this scam, all of us except the seller and high bidder are the marks.



Six days after the auction ended, I get a "Second Chance" email offering to sell me the item at my last bid amount. In the excitement of being offered a sweet bike for just a fraction of its value, I almost didn't notice that this email was a forgery. The scam that I'm about to introduce you to involves someone - not the real seller - who sends fake "Second Chance" offers to all the non-winning bidders after the auction closes. The object of the scam is to collect a whole crop of bids by Western Union or wire transfer, and then disappear.



It begins with your receiving what looks like a "Second Chance" email for an item you recently bid on but didn't win. This fake offer is not from the real seller. The real seller doesn't know anything about it. In fact, this particular scam would be over right now if you just asked the real seller whether he/she really sent you a Second Chance offer. You can do that easily, by going back to the eBay website, pulling up the item, and clicking "Contact Seller."



But just for exercise, let's go through all the motions of the scam. All except the last one, where criminals get your money.



The Email

The fake offer arrives through eBay's official Message System, and you'll find it in "My eBay" under "My Messages." This might lull you into reduced vigilance for the rest of the scam, since new SPF / Domainkey anti-spoofing mechanisms (if your mailserver supports them and you look at them) will verify that the message did originate at eBay, plus eBay is always touting how all the legitimate stuff will always be in "My Messages."



The sender of your "Second Chance" is a thief who uses an actual eBay account to send this spoofed offer through the eBay message system. His eBay registration will use the same email address where he wants you to reply to the scam. Otherwise he would have to convince you to reply to an address other than the one automatically generated by the eBay message system, and that would be too suspicious. The email address he uses will be a throwaway, anonymous address easily obtained at Hotmail, Yahoo or similar*.
*All it would take to shine the light of day on the scam at this point would be if eBay's Search Items by Seller form would accept a registered eBay user's email address as an alternative to searching by user ID. The Find a Member page works with both, and so should "Find Items by Seller." If it worked that way, you could easily search for auctions by seller using the email address given to you in the "offer," (where the con-man needs you to reply), and the result would show that the person issuing this "offer" is not the seller of the auction where you were bidding.

Suggested to eBay June 3, 2006, 13:07pm

Since eBay doesn't display the seller's email address until you win an auction, it's not immediately obvious that the person you're talking to is not the seller from the auction. But this fake "Second Chance" email has a link to the auction that you bid in, and the key misdirection of the whole con is perfected when you assume that bike you wanted has any relationship at all to the person sending you this email. It doesn't.



Even if you don't have a "known good" Second Chance offer to compare this one to, there are many ways to spot these fakes and eBay discusses them in its official publications. Real "Second Chance" emails that truly come from eBay will also appear in the "My Messages" section of your eBay account, with the exact subject line, "eBay Second Chance Offer for Item..." When you receive one by email, the mail headers will have a "Return-Path" of "SecondChanceOffer@ebay.com" and a trail showing the message originating on eBay's internet address space.



Legitimate Second Chance Headers

X-Gmail-Received: 9110f2803e9cadb7f2bde3d086718b780d839891
Delivered-To: ME@MY_EMAIL_ADDRESS
Received: by 10.70.54.2 with SMTP id c2cs613637wxa;
Sun, 21 May 2006 02:00:44 -0700 (PDT)
Received: by 10.35.66.13 with SMTP id t13mr2998052pyk;
Sun, 21 May 2006 02:00:44 -0700 (PDT)
Return-Path: <SecondChanceOffer@ebay.com>
Received: from mx16.sjc.ebay.com (mxpool08.ebay.com [66.135.197.14])
by mx.gmail.com with ESMTP id k62si633282pyk.2006.05.21.02.00.43;
Sun, 21 May 2006 02:00:44 -0700 (PDT)
Received-SPF: pass (gmail.com: domain of SecondChanceOffer@ebay.com designates 66.135.197.14 as permitted sender)
DomainKey-Status: good (test mode)
Received: from sj-wsyi221 (sj-wsyi221.sjc.ebay.com [10.11.91.32])
by mx16.sjc.ebay.com (8.13.5/8.13.5) with ESMTP id k4L90hW6009393
for <ME@MY_EMAIL_ADDRESS>; Sun, 21 May 2006 02:00:43 -0700
DomainKey-Signature: a=rsa-sha1; s=dk; d=ebay.com; c=nofws; q=dns;
h=message-id:from:reply-to:to:subject:mime-version:
content-type:x-ebay-mailtracker;
b=mPi/egMTt99owdLepuzPZlZtnUDu4SrYNyCE0+Wl0vgEFYHZNBaSAO3MnHcQHDkRd
4ajZR93oVRV4Md9y8GAXukxLkVIVrSb7PRsk/Kj5mPuUn0zI8m5886kz42D7zKctOMf
K+4Jqj07zCVSCKN6/sVwmxK9HM1xhFY5//+urps=
Date: Sun, 21 May 2006 02:00:43 -0700
Message-ID: <1806957536.1148202043441.JavaMail.ebayapp@sj-wsyi221>
From: eBay

Reply-To: SecondChanceOffer@ebay.com
To: ME@MY_EMAIL_ADDRESS
Subject: eBay Second Chance Offer for Item #9730021438: Palm Treo 700w/Treo 700 Verizon Like New, Barely Use
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary=1978973166.1148202042879.JavaMail.ebayapp.sj-wsyi221
X-eBay-MailTracker: 10039.461.0.64355

--1978973166.1148202042879.JavaMail.ebayapp.sj-wsyi221
Content-Type: text/plain;charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

----------------------------------------------------------------------
eBay sent this message to MY_REAL_NAME (MY_EBAY_ID).=20
Your registered name is included to show this message originated from eBay.=
=20
Learn more: http://pages.ebay.com/help/confidence/name-userid-emails.html


When tracing a message's path through the internet with mail headers, disregard the first few lines listing traffic on networks whose IPs begin with 10., or 192.168., or 172.16-31, or 169.254. Addresses in that space are known as "private class" networks. They are not routable over the internet and only explain the mail bouncing around a private network either before or after travelling across the internet.



As in the above headers, when a mail actually originates at eBay, the first publicly routable IP address in the mail header will belong to eBay. When verifying this, don't just take the "resolved" domain name in the header for granted. Actually do an nslookup on the IP to make sure it resolves back to something under ebay.com.



If the Return-Path in the headers is "SecondChanceOffer@ebay.com" AND the 1st public class network listed in the mail headers belongs to eBay, then there's a pretty good chance this is a legitimate email. Mind you, a fraudulent message (like the one I received) can also be sent through the eBay message system, but those will contain a different Return-Path header of "member@ebay.com."



Please don't bank on Return-Path or other header information, though. If in doubt, just forward the message along with the original headers to spoof@ebay.com. They'll reply within an hour and tell you whether the message is forged or not. (Make sure you don't fall for any spoofed confirmations of legitimacy!) Still, even without looking at headers, there are many other clues to alert you. Read on.



Evaluating Authenticity

When you receive an officially sanctioned message, eBay will use your real name at the beginning of the message, "eBay sent this message to YOUR_REAL_NAME (your_ebay_id)." They know your name because you gave it to them when you signed up. A scammer is not going to know your real name at this stage of the scheme, hence, it is not included in your shiny fake Second Chance email.



Real eBay messages also contain warnings and URLs with information to help you avoid falling for spoof emails. Forged ones usually don't. Real ones offer you a link to "Buy it Now" that will take you back to the eBay website where you buy the item through PayPal or another standard/somewhat-safe method. Fake ones ask you to buy by "replying" to email and eventually broach the topic of Western Union and wire transfers.



Real ones will have no errors in the message body. The fake one I got had an extra space between a period and the end of a sentence:

"buy this item or contact seller at wurrammnd@hotmail.com ."


Even without any of the above indicators, we still have plenty more carelessness, errors and inconsistencies warning us this deal is a fraud. All my correspondence from this "Frank Vorus" were lousy with them.



Comparing Samples

First, I noticed that the name he used in email to me (Frank Vorus) bore no relation at all to the seller's user ID on eBay. Although a little "off," by itself, not terribly significant. But these criminals are not very bright, and they leave a lot more clues. Take his first personalized message to me:

"I am glad that you are still interested to purchase my item. As is described on the auction the item is full operational and in proper woeking [sic] conditions."


Notice the stilted broken English. That's nothing by itself either, until the writing sample above is compared with the writing style of the original item description, written by the real seller. The real seller's writing wasn't perfect, but he was clearly a native English speaker. I also compared writing samples from the several emails I received from "Frank" with the 375 feedback messages that the real seller on eBay had "Left for Others."

"EXCELLENT!!!! AWSOME!!!! GREAT TRANSACTION!!!!"

"despite repeated emails-no reply-no payment-never contacted me-LOSER"

"Very fast. Item was in perfect shape. Wonderful transaction"

"neat little item-perfect for me-fast shipping!!! great ebayer"

"Got the item right away-it's neat"

"quick shipping even from Ausieland-nice guy to do business with"



The feedback / item description were definitely NOT written by the same person now sending me emails. Maybe if Frank went to an American high school and had some practice handing in copied homework, he could have pulled this off.



Frank also kept talking about how he would ship the bike. The scam could get messy if I came to pick it up and pay in person:

"You want to pick it up, but first off [sic] all i need to see the payment details, as eBay instructed us. Once i have the payment details i will deliver the bike to your home address."


Those statements are in direct contradiction with the original item description written by the real seller:

"MUST PAY IN CASH OR MONEY ORDER!!!! MUST PAY WITHIN FOUR(4) DAYS AFTER AUCTION DONE. YOU MUST PICK UP-NO SHIPPING."


The Bait

Criminals often offer gratuitous excuses that ultimately give them away. Happens all the time on COPS™. Here's a good example:

"I asked eBay to send you a Second Chance Offer becuase [sic] the winner had some personal problems with the money and couldn't handle the situation at this time."


That's very understanding of him. A little more information than one would expect.

"If you are still interested to purchase the item is still available for sale and you have the opportunity to purchase this item at your last bid price."


Aside from the broken English inconsistent with the real seller's writing style, my last bid price was only 2/3 of the winning bid. This bike could easily sell for more than the winning bid if it was relisted. Why would it be offered to me at this price? Four other people bid more than I did, in amounts much closer to the winning bid. Wouldn't one of them have jumped at this already? That's the part that is supposed to hook you, preying on the victim's own greed, a deal so good, you can't resist.



Of course, the scam would be over right now if I just asked the winning bidder whether he bought the item, or whether he backed out because there was something wrong with the seller or the item. You can do that by going back to eBay, pulling up the auction, clicking the user ID of the winning bidder, and then clicking "Contact Member."



Building Trust

In Frank's second mail, he also asks me for some basic information - name, address and eBay ID, claiming to need it in order to start an "official eBay transaction." It made no sense to me, but all the information seemed harmless enough. In retrospect, this might have been an attempt to get enough information to break into MY eBay account. Many people use their address or zip code as a password. Another possibility is that he just wanted to list my address as the "Shipping Address" on his upcoming forged invoice to make me feel more comfortable about paying.



Speaking of paying, he closes with:

"You'll also receive important guidelines + instructions from eBay regarding our transaction (please go through them exactly). I'll handle the shipping, so this will be free of charge for you ."


Another telltale mistaken space between the period and end of sentence, indicating that the author of this message is also the author of the earlier one that was supposed to have come from eBay. More good deals to motivate me (free shipping for a 250lb motorcycle?!) and buttering me up to follow "exactly" instructions in the forged email that he'll send to me in a few minutes. Too bad his shipping promises contradict both the item description and my email to him explaining that I'd only buy the bike in person.



Later, he sends another email to shepherd me to the fleecing:

"i [sic] have requested that the details of the transaction to be verified and if everything will be ok then the transaction will be guaranteed. Once guaranteed by ebay, the transaction will be safe for both of us. Please wait for ebay's confirmation that the transaction is ok and please read carefully all the instructions that ebay will send to you. It's very important that we follow the instructions."


Yes, very important we follow the instructions. We don't want our mark accidentally sending money to the wrong thief!



Deconstructing the Payoff

One minute later, a forged email dressed to look like it came from eBay arrives, with the subject:

"You must send payment of US $2,200.00 shortly for your Item"


"Shortly for my item?" EBay copy doesn't sound like that. Return-Path in the mail headers lists "aw-confirm@ebaysecondchance.com." A WHOIS on the domain "ebaysecondchance.com" shows it hosted and registered by 1-and-1 webhosting in Germany. That's what happens when a webhost gives away 3 free years of web hosting plus a free domain name. The first internet routable IP network in the mail headers is burnt-tech.com out of Canada, confirmed with reverse nslookup. Headers also show this guy used the burnt-tech webmail program to send this while online himself from an America Online IP address.



Forged Mail Headers, not from eBay:


X-Gmail-Received: 2bb2b2f0ee468534d60ec4a806ba172f2f9e2dae
Delivered-To: ME@MY_EMAIL_ADDRESS
Received: by 10.70.31.11 with SMTP id e11cs34834wxe;
Fri, 2 Jun 2006 08:56:54 -0700 (PDT)
Received: by 10.54.94.16 with SMTP id r16mr2041853wrb;
Fri, 02 Jun 2006 08:56:54 -0700 (PDT)
Return-Path: <aw-confirm@ebaysecondchance.com>
Received: from burntmail.com (burnt-tech.com [66.98.218.53])
by mx.gmail.com with SMTP id 7si1587200wrh.2006.06.02.08.56.54;
Fri, 02 Jun 2006 08:56:54 -0700 (PDT)
Received-SPF: neutral (gmail.com: 66.98.218.53 is neither permitted nor denied by best guess record for domain of aw-confirm@ebaysecondchance.com)
Received: (qmail 10171 invoked from network); 2 Jun 2006 15:56:50 -0000
Received: from unknown (HELO burntmail) (127.0.0.1)
by localhost with SMTP; 2 Jun 2006 15:56:50 -0000
Received: from 172.181.66.214 (unverified [172.181.66.214])
by burntmail (VisualMail 4.0)
with WEBMAIL id 10169;
Fri, 02 Jun 2006 15:56:50 +0000
From: "eBay"
To: ME@MY_EMAIL_ADDRESS
Importance: Normal
Sensitivity: Normal
Message-ID:
X-Mailer: Mintersoft VisualMail, Build 4.0.111601
X-Originating-IP: [172.181.66.214]
Date: Fri, 02 Jun 2006 15:56:50 +0000
Organization: m
Subject: You must send payment of US $2,200.00 shortly for your Item #4641831009
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--=_vm_0011_W634929128_10169_1149263810"

----=_vm_0011_W634929128_10169_1149263810
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable


Second Chance Offer - Buy The Item You Recently Bid On

Dear MY_EBAY_ID,


Tracking the Perp

The mail headers tell me that the IP address of the computer the perpetrator is using is 172.181.66.214. Nslookup tells me that's an AOL (formerly America Online) IP. But I can also compare the geographic location of his IP with the geographic location of the auction as listed on eBay. When I entered the thief's IP address in GeoIP Lookup, it told me that his approximate physical location was somewhere in Germany. A few other GeoIP lookup services estimated Kansas, Florida and Maryland.



Because of the varying results and inherent inaccuraccy of geographically mapping virtual IP space, I corroborated his location using a different method, traceroute. According to tracking done by Visual Trace, the trail toward his IP leads to Frankfurt, Germany before getting lost behind a firewall.



Either way, the person writing me is likely nowhere close to Tehachapi, California where the shiny red motorcycle is supposed to be. By contrast, GeoIP lookup on the real seller's IP address (taken from headers of email communication I had with him) resolves to the location listed in the auction - Tehachapi, CA.



AOL keeps records of all it's users' logins and the IP addresses assigned to each user during the login period. Since these mail headers have both the perpetrator's AOL IP address and exact timestamps, it would be easy for AOL to come up with the identity of criminals based on their service billing records, and provide this to law enforcement. The problem is that most police don't understand how to investigate and prosecute this kind of computer fraud. Local police would rather refer you to the FBI and the FBI can only be bothered with big, important cases with high dollar amounts. As a result, these kind of criminals are free to attempt their crime as many times as they need to, until they succeed. Consider how that would be if police treated attempted bank robberies the same way.



Recognizing Trouble

The purpose of the final forgery is to persuade me to transfer a couple thousand dollars by Western Union -- a payment method the real eBay specifically warns its customers NOT to use in almost every piece of correspondence they send.



The fraudulent message uses comforting words like "insured", "verified," "protection," "refund," and "in association with eBay Inc." to coax me into compliance. I am supposed to "Pay for the transfer with cash at a local Western Union agent."



And, in case I was wavering, wondering whether or not I should send the money, the scammer targets your desire to get something for nothing -- 50% discount on the wire transfer fee!

"Because the fee to send a Western Union Money Transfer is high, compared to other methods of payment, we have arranged with the seller to compensate for half of this fee (i.e. if it costs you $100.00 to send the payment, take $50.00 from the amount insured and send the balance)."


So many elements of a confidence game manipulate the greed or dishonesty of the victim. So remember the old saying, "You can't cheat an honest man."



Closing the Deal

I write him back to tell him that if I am going to buy anything, it will be in person and only after checking out the quality of the merchandise first. I ask him for his phone number, address, real contact points where even clueless police might be able to pick him up. He doesn't go for it. Instead, he appeals to me to just do "as eBay instructed us," invoking their higher authority. It's a tactic con-men use to exploit the comfort most people take in following rules and doing what they're told.



Before closing this case, I warned the other non-winning bidders of this auction and, even though it's nigh impossible to file a security incident report, I reported the situation to eBay. But eBay is busy, and they are not looking into it.



In fact, 6 days after I emailed multiple detailed complaints to eBay (each one answered by just more dull, canned text by CSRs with different first names), explaining how this person was using an actual eBay account to victimize other users by relaying spoofed messages through the official eBay message system, and despite feel-good assurances by eBay representatives like "Ide,"

"I have reviewed your report and have taken appropriate action in accordance with our policies. Such action may include issuing a warning, a temporary suspension, an indefinite suspension or terminating the membership. Out of concern for our members' privacy, we don't discuss the specifics of the actions we take in these situations."


eBay's Member Search page shows that the perpetrator still has his valid eBay account:

"The email address wurrammnd@hotmail.com is used by a valid eBay member with a feedback score of 0 (0% positive). For privacy purposes, it is eBay's policy that User IDs are not revealed to members who are not involved in current or recent transactions with each other."


While I am stuck in a feedback loop with eBay's robot employees, this con-artist keeps his eBay account, and no organized countermeasures are mustered against him. He has been free to run the same scam hundreds more times since my first report to eBay's security group.



If this particular thief ultimately succeeds in stealing someone's money, a good lawyer could make a great case that eBay is negligent for failing to revoke the fraudulent account after having notice of it, and that eBay should be held liable for the damage.



Vigilance

These crooks will always be able to vary slightly from the outline presented here, but they will always make mistakes that give themselves away. They're not that smart. If they were, they wouldn't have to be criminals.



For the volume of confidence scams connected to eBay, the ironic slogan, "bid with confidence" is certainly appropriate.

24 comments:

  1. Anonymous11:00 PM

    If I were him -- that AOL machine would be a rooted windows box that would never track back to me

    ReplyDelete
  2. Anonymous11:01 PM

    Good job. You should submit this information to 2600 or Reader's Digest. Or sex it up a bit and submit it to Penthouse Forum.

    At least when Russians scam people they pretend to be hot women.

    ReplyDelete
  3. Anonymous11:01 PM

    Great writing! I'll share this with my computer class students - and be sure to give you the credit for putting it together.

    ReplyDelete
  4. Anonymous11:02 PM

    Excellent work! A site very interesting and design top-level. Thanks!

    ReplyDelete
  5. Anonymous11:02 PM

    This is a new one on me, pretty slick. I am sure the scammers are raking in serious dough, maybe even from the same auction they tried to hook you on.

    I bet schneier.com would be interested in this tale.

    ReplyDelete
  6. Anonymous11:03 PM

    I think that the stupid Philippinos are the ones taking point on this scam.

    Damned third-world countries!!

    ReplyDelete
  7. Anonymous11:03 PM

    Welcome to the Internet. Most sensible people would be on to this scam in about 2 minutes after reading the poor English. I want those five minutes I spent reading this back.

    ReplyDelete
  8. You inspired me to write Part II, that discusses why looking only for poor English is a poor method for identifying a scam. Sometimes they come using good English.

    ReplyDelete
  9. Anonymous11:07 PM

    Got one too, googled email address SecondChanceOffer@ebay.com found this site.

    SECOND CHANCE OFFER:
    ...
    In compliance with eBay's Policy, the seller of that item is making this Offer to you at your last bid price: US $XXXXXXXX.
    ...
    You may purchase this item by contacting the seller at: realnowestate@yahoo.com , or just reply to this email.
    ...
    If you have any questions, please reply this email.

    Thank you for using eBay !
    ....

    ReplyDelete
  10. Anonymous11:08 PM

    great Page way to stick it to these bastards

    ReplyDelete
  11. Anonymous11:09 PM

    I get these phony 2nd chance offers from virtually every bid I make on eBay. Pretty soon I'll be hosting a site that more or less identifies eBay as a pretty bad way to buy anything. A good way to sell something, yes, but a terrible way to buy anything. Besides, I was looking for a car with less than 100K miles and my searches on local newspapers and autotrader yielded much better prices.

    ReplyDelete
  12. Anonymous11:10 PM

    Ran into the exact same guy today, 7.6.06. We were buying a camera, got outbid, and then got the exact same emails you mention, from the exact same email address. He's out there...

    -- Your partner in vigilance :)

    ReplyDelete
  13. Anonymous11:10 PM

    i was just caontacted by this indvidual this weekend!told me i won a second chance at a tent trailer i bid on.gave him my phone # and told him to call me i had ?'s.he mailed me right back and told me to send money western union then he'd call.I sent all mails recieved to spoof@ebay .com Please do the same!

    ReplyDelete
  14. Anonymous11:13 PM

    I bid on a car on Ebay for the first time today and was still automatically outbid by $50 and I still got a "second chance offer" for the price I bid . Is there anyway I can lead this guy on a nail his ass?!! I think I agree with Wes , I'll look around the old fashioned way ! By the way , his email addy is vorms@kikivorms.com
    Thanks for this awesome , informative page !! JD

    ReplyDelete
  15. Anonymous11:13 PM

    I have just recently bought a item of this seller and i have paid for the item so it was all going well untill about 2 weeks latter the item had still not arrived so DO NOT BUY ANYTHING OF THIS CRIMIMAL

    ReplyDelete
  16. Anonymous11:13 PM

    "The sender of your "Second Chance" is a thief who uses an actual eBay account to send this spoofed offer through the eBay message system. His eBay registration will use the same email address where he wants you to reply to the scam. "

    I dun quite understand this part. How does a scammer send an e-mail(message) to the target under the name of "secondchanceoffer@ebay.com"??

    ReplyDelete
  17. The method of any particular scam varies. In some scams, the artist will use the eBay message system to cause a message to appear in your "My Messages." Although that message cannot have the official eBay subject heading "Second Chance offer for item...," many people would not notice the difference. In other scams, the artist sends you an email, and it is trivial for anyone to set their "FROM" address in an email to whatever they please.

    ReplyDelete
  18. Anonymous11:14 PM

    I had the same thing happen to me with a boat I bid on. vorms@kikivorms.com has an IP address that originates on the NTT network from 199.237.201.173 at ggdearmli.com, listed in Centennial Colorado, and the message hops through the NTT network at Sterling Virginia and back to Centennial before bouncing to Equinox in Ashburn, VA and then Defender Technologies in Washington, DC. The guy is getting smarter. Now he is just asking for your personal information about your ebay account.

    ReplyDelete
  19. Anonymous11:15 PM

    Yeah, I just got the second-chance email on a car I bid on. Cannot tell you how grateful I am I googled "kikivorms" and this site popped up.
    Whew, saved me a lot of time, hassle, and money. What a great service you're doing for all of us.
    My enternal gratitude!

    ReplyDelete
  20. Anonymous9:59 PM

    This blog saved my money also...I was about to get connect by these a..holes.

    ReplyDelete
  21. Word to all you jokers! Well, I just lost $500.00 to some bastard in london england for a camcorder. I sure wish I saw this site earlier! Thanks for making it available to all of us out here. I just feel stupid because I was dooped! Oh ya, it can happen to you!

    -Dave-

    ReplyDelete
  22. Anonymous9:10 AM

    I have just been tempted with the same fruit. However, I want to add a wrinkle relating to ebay that is down right negligent - I responded to a second chance offer that appeared to be generated by ebay and then had second thoughts. I went to "my messages" and the offer was there. I then sent an email to ebay saying I think I'm being scammed and forwared the e-mail I'd recieved. I didn't think to mention the fact that the scam message was also in "my messages" folder. Ebay's reply said "yes this is a spoof" and went on to say I should always check the "my messages" folder. Obviously, ebay had not actually looked into my situation but just replied with a boilerplate response. I'm a lawyer - let me say this - if ebay's position is that anything in the "my messages" folder is legitimate and people get scammed from messages in the "my messages" folder - ebay has a serious, serious problem.

    ReplyDelete
  23. I just reamed some guy out for being a scammer, unfortunately i didnt get anything other than he said 3 different places where the item was located. awesome article though, thanks a bunch for the info, very useful.

    ReplyDelete
  24. Anonymous5:31 PM

    another scam!!!! beware
    this is what i got after lost my bid.$2300 is freaking lot of money to feed a foreign sick f***.so long F*****R

    my_id@yahoo.com
    From: "eBay" SecondChanceOffer@eBay.com Add to Address BookAdd to Address Book Add Mobile Alert
    Subject: eBay Second Chance Offer for Item 16016221111
    eBay sent this message to "my ebay id".
    Your registered name is included to show this message originated from eBay. Learn more.
    Second Chance Offer eBay

    eBay sent this message on behalf of an eBay member via My Messages. Responses sent using email will go to the eBay member directly and will include your email address.


    Second Chance Offer
    Item: Brand New Canon XL2 3 CCD MiniDV Camcorder with lens (1601622111
    This message was sent after the listing closed.

    Good news! The following eBay item on which you placed a bid for US$ 2,300.00 on 04-19-2007 01:01:01 AM is now available for purchase:
    Brand New Canon XL2 3 CCD MiniDV Camcorder with lens (160162216278)

    Your Price: US$ 2,300.00
    Offer end date: 5 business days
    Second Chance Offer
    The seller is making this Second Chance Offer because the high bidder was either unable to complete the transaction or the seller has a duplicate item for sale.

    The selling of this item through Second Chance Offer is in compliance with eBay policy; you will be able to exchange Feedback with the seller and will be eligible for all eBay services associated with a transaction, such as fraud protection.
    Act Now - This Offer Expires Soon
    To take advantage of this opportunity, please act quickly. This offer expires in 5 days.

    You may purchase this item by contacting the seller in this email : : desswt@hotmail.com

    ReplyDelete