• English Site
• > SPIEGEL Magazine

Phishing in Cyberspace

Hackers Hijack Ebay Accounts

By Janko Tietz

As Ebay continues to grow, so too do security problems. A new wave of hackers has found an innovative way to hijack user accounts. All you need is a program to rapidly test possible passwords, and a little bit of patience.

Any amateur photographer would get excited by the chance to buy a camera for €300 when it normally goes for up to 10 times as much. Klaudius Dziuk, 31, has long been interested in a Canon digital SLR camera. He had just started his own business, but it wasn't going well enough yet that he could treat himself to the high-ticket item. Until he took a look at online auction house Ebay, that is.

Among Ebay's 17 million German users, Dziuk found a member with the user name "mal-kasten" who was offering his dream camera for sale -- and at a starting bid of only €300. It seemed almost too good to be true, until Dziuk realized that "mal-kasten" was selling all kinds of brand-new, expensive cameras, all for the same starting bid of €300. It also struck Dziuk as odd that he had never before noticed the name "mal-kasten" among users selling cameras.

Dziuk then noticed that other Ebay sellers, "silkeberger" and "pit87," for example, were likewise offering up Dziuk's dream camera by the dozen, and all for the same €300 starting bid. It was only after Dziuk sent an e-mail to one of the sellers that he realized he was dealing with a large-scale scam operation. Although the seller responded to the e-mail, his response was in English -- despite the fact that Germany had been specified as the item's location, just as it was with the other sellers.

Besides, the supposed seller wrote that he only accepted cash payments, either into accounts at the Bank of China or in the form of a Western Union international money transfer. Although he had no qualms about providing his name and address, it could just as easily have been made up: Zhang Yanguang, Beijing 100021, No 7 Building 19, Floor 11, Chaoyang District, Huawei Xili.

"Account hijacking has become a real problem"

"Mal-kasten," though, as it turns out, was not the real seller of the bargain camera. Rather, a hacker gang from China had found their way into "mal-kasten's" account. Indeed, the group has apparently manipulated countless Ebay accounts the world over.

"Account takeover," Ebay's term for the hijacking of its customers' accounts, "has become a real problem, especially as a result of phishing," admits Oliver Weyergraf, Director of Internet Security for the online auction house's German office.

The hackers' approach is clever; they usually search for Ebay members whose accounts have been inactive for a long time -- that is, those who are less likely to notice their accounts being manipulated. Ideally, the targets should have a 100 percent rating from other Ebay members, so that potential buyers believe that they are reliable and don't become suspicious.

Using software that uses digitized dictionaries and is openly available for download on the Internet, the hackers bombard the accounts with passwords until they hit the correct one. The program is the digital equivalent of pointing a shotgun at the sky and firing repeatedly. Eventually, a duck will drop into your lap.

Ebay does limit the automatic entry of passwords to 20 attempts, at which point a so-called gif blocker appears and the user (or hacker) is asked to type in a preset code. But then the user is given another 20 tries, the cycle begins again, and the user is allowed to continue typing in passwords indefinitely -- until he gets it right, that is.

Once the intruders gain access to an account, they modify the stored account information to their benefit and change the e-mail address associated with the account, so that all inquiries are sent to them and not to the real owner of the account.

200 manipulated accounts in one week

That's what happened to Petra Botte, the real owner of the "mal-kasten" account, which hackers used to process transactions worth more than €3,000. "Now it's my problem, and I have to prove that I'm not the one selling these cameras," says the exasperated Ebay customer from the western German town of Jülich. Several buyers have already contacted her wanting to know why they haven't received the merchandise, for which money has already exchanged hands. Ebay even wanted to charge her its commissions, despite the fact that Botte had nothing to do with the fake sales.

Even professional "power seller" Peter Klein from the Swabian city of Nördlingen fell victim to the scam, when hackers used his private Ebay account to offer cameras and expensive navigation devices. "When I started noticing problems, I immediately asked Ebay to block the account. Nothing happened for three days," complains Klein, whose supposed offer generated bids from Norway, France and the United States.

The Chinese hackers are also posing as sellers in the US. Jeffrey Lawrence, whose Ebay account was also hijacked, says that he encountered more than 200 manipulated accounts within one week -- and this despite the online auction house's claim that "buying and selling on Ebay is fair, successful and secure." Lawrence has since contacted the FBI.

From Ebay's perspective, the customers are doing their fair share to contribute to the problem, albeit unintentionally. "Many customers create passwords that are too simple," says Internet security head Weyergraf. "A healthy understanding of the Internet just isn't sufficiently widespread yet."

The incident has destroyed Klaus Dziuk's confidence in online buying, at least for now. The budding photographer now plans to save his money and eventually take it to a classic camera shop. "At least I'll be certain that my money doesn't end up in the Bank of China -- just in a nice, old-fashioned cash register."

Translated from the German by Christopher Sultan