During this search, I became aware of how prevalent scamming has become and the seemingly high-volume migration of craigslist scammers into other marketplaces and platforms.
A while back I was on the hunt for a new (to me), used, laptop to add to the arsenal. One that I could use for both security related work and video editing on the go. I settled on snagging a used MacBook Pro MJLT2LL/A.
During this search I became aware of how prevalent scamming has become and the seemingly high-volume migration of craigslist scammers into other marketplaces and platforms. These scams may not cause victims, providing you're somewhat paying attention to the world around you and the things that you are engaging in, to lose money, but it can easily subject them to a significant amount of anger and frustration.
"There's no way I can get scammed on Amazon right?". Naw.
Rule one of both the internet and life:
If it's too good to be true, it probably is.
This holds especially true when $ is involved.
The two screenshots above were taken weeks prior to the examples and actual interactions below and the original price disparity was far more drastic, and therefore far more evident at the not-at-all-suspicious price of $800 for a $3500 laptop.
But I mean maybe, it's legit. Logical analysis says that statistically something is up... but of course you have to check it out, I mean, it's on Amazon.
Now prior to continuing, I want to highlight the fact that there are two main scamming scenarios that I have noticed on the Amazon Marketplace. Both of which take place using either:
Queue the inherently sketchy statement(s) in the item description:
Before purchasing this item, please email us at email@example.com.
At this point any person that is weary with their dollars and is not using Amazon for the first time would bail out, however, wanting to see where this was going, I reached out to the actual marketplace seller prior to contacting the sketch-lord-random-email in the innocent instructions in the item description.
we don't sale that, you get the wrong address
Now due to this eloquent response it is clear that this is a scam and that the marketplace seller has no clue that this item is for sale, by them. But again, for data, lets see where this goes if we actually follow the instructions.
If you want to buy, please confirm your shipping details and we will place your order.
These details, of course, include your payment information. However if they do not, this generally leads a rabbit hole of attempting to acquire account credentials as well as other bits of information from the user, taking us to the second method of Amazon scamming.
Initially I planned on going into detail on this, but it ended up being highly redundant. This method in practice is the same and the image(s) above showcase exactly what happens when a compromised account is leveraged to list items that the seller does not actually intend to list and/or does not actually own.
The main issue (aside from the account compromise) is a lack of second factor verification when adding or removing credit cards/banking information to the Amazon seller area. This affords attackers the ability to add and remove banking information at will without notifying the legitimate account owner.
Attackers can be passive rather than proactive with this, though difficult to confirm from the outside. Passive in that they do not necessarily have to list anything providing the account already has items up for sale. By changing the banking/accounting information that the compromised account has listed, attackers can theoretically redirect these legitimate funds to themselves.
The current mentality of people shopping online and combined with some of the demographics (non-technical people & family members looking for gifts, older people looking to buy/sell random items etc.) that tend to gravitate towards Ebay, makes its marketplace an ideal place for scammers.
When Ebay and Ebay-esque sites were emerging and becoming more prevalent (i.e. sites like Amazon/Alibaba/Overstock/Etsy), more people were cautious and relatively suspicious of the process itself. Unfortunately the vast majority of us have become used to, and subsequently desensitized with, the easy-to-use flow of online shopping. These sites enable us to purchase with as little actual user-interaction as possible, ensuring at every turn that we are protected by their policies and the fact that there are shiny shield icons placed at every loading screen and purchase/bidding page.
Combining the above with our ingrained societal tendencies for trusting in the consensus of the masses:
Scammers and attackers who compromise valid user accounts can leverage the preconceived trustability afforded to these accounts by seller reviews and via seller's reputations, to convince victim users to circumvent the standardized purchasing safeguards.
The way that this is most commonly accomplished on Ebay is identical in most aspects to Amazon. Although with Ebay, the compromised account(s) -> external payment route, appears to be a much more prevalent issue.
We can also see sellers/scammers attempting to "double-dip"-
by accepting payments after modifying account information, so that they can not only receive the initial payment, but can attempt to convince victims to pay again outside of the normal channels.
The reason that there are 2'ish different ways that I wanted to cover for Ebay specific ways is because most are simply variations of the same: convincing the victim(s) to purchase something outside the standardized Ebay payment process.
A buyer asks you for your PayPal email while you're selling a product, typically by specifying they want a different quantity and/or portion of the item(s) that you have listed for sale- rather than going through the proper channel(s) and simply purchasing it.
"Hey I don't want to buy the entire item"
"Hey I don't need 30 of X_item, just 10"
"Could you send me your PayPal email? How much would it be for just that amount, I would be glad to pay it."
Significant issues with "the OL' REVERSE":
The fact that we can see these attempts being so blatantly blasted across platforms, and the fact that they are being conducted with such frequency on two sites that are fairly adept it their monitoring and removal of such things, means that this is undoubtedly a much larger issue for less proactive platforms. We can also see just how long this has been occurring by reviewing the timestamps of the various posts from Ebay users.
Simply put, many things have improved and evolved with our ecommerce experience from a usability standpoint as well as from a security baseline. TLS/SSL is finally a standard on most sites, and 2-factor authentication is being offered almost everywhere- if neither of these are offered on a site that is readily and frequently handling your financial information I would recommend you rethink using that site altogether. Most of these platforms do everything they can do hold their user's hands, and to ensure that scams like this do not take place. If trust in the respective platform diminishes, so will the platform's user-base and their profitability/profit margin with them. Unfortunately they cannot catch everything, and as a result, awareness, and discernment are still requirements when shopping online.
Let’s take a deeper look to understand a Business Relationship Management Capability then what is meant by B2B Collaboration and finally defining what needs to transpire in order to pierce the boundaries.read more
Culture Shock is usually an understatement when an organization makes the commitment to implement a BRM Capability.read more
Analyzing and Weaponizing the Latest OpenSSH Enumeration Vulnerabilityread more