Hackers hit and run on Internet auction sites


KANSAS CITY, Mo. - For a couple of days in December, someone was auctioning Sony camcorders from Kevin Pilgrim's eBay account. But the auctioneer wasn't Pilgrim, who lives in Raytown, Mo.

More than two dozen online bargain hunters agreed to pay $605 apiece, in some cases wiring money to Germany. But there were no camcorders. The two-day auction was a fraud.

While bidders got ripped off, the bad guys got away. The scammers who hacked into Pilgrim's eBay account to woo unsuspecting bidders did their dirty work before eBay could shut down his account.

A frustrated Pilgrim watched the crime unfold, able to do little more than desperately e-mail warnings to bidders. Even the FBI told him it could not afford to tie up agents' time on these electronic purse snatchings.

"We get calls like this every day, and that shows how rampant this is," said Jeff Lanza, an FBI spokesman in Kansas City.

Although auction fraud is skyrocketing as online commerce grows, consumer protection is not keeping pace.

Auction users, facing growing risks, are increasingly pressing for more safeguards. And some outraged consumers are becoming online vigilantes.

"You've got this monster market on the Internet, but you can be witnessing a crime in real time and be helpless to do anything," Pilgrim said. "There's no 911 number you can call."

Online auctions attract millions willing to buy anything from toasters to sailboats from people they have never met.

The gorilla of the industry, eBay, posted revenues last year of more than $240 million. While eBay won't release user numbers, it has been reported that 35 million people regularly buy and sell at online auctions.

"What we say is that we do $30 million a day in business," said eBay spokesman Kevin Purse-glove. He said fraud taints no more than 0.01 percent of the transactions.

But that means lots of users still get burned. Some experts believe the number of frauds might be higher, simply because they are so hard to track.

The National Consumers League's Internet Fraud Watch reported that after several years of decline, online auction complaints soared in 2002, accounting for 87 percent of all Internet fraud complaints it received. The league said Internet fraud cost consumers $7,209,196 last year, which it calculated at $484 per victim.

The Federal Trade Commission's Consumer Sentinel, which gathers online fraud complaints for a consortium of law enforcement groups, received more than 20,000 Internet auction fraud complaints in 2001, reflecting the huge challenge facing investigators.

While there are a lot of scams, each one might affect no more than 50 people, a number unlikely to ring bells at the FBI. "If you have 1,000 victims, that's a different story," Lanza said.

Online auctions rely on trust between buyers and sellers, so scammers take advantage of that trust to do their dirty work.

In the past, many scammers simply opened their own accounts to hoodwink bidders. But they were too easily traced.

Now, the scammers - often international gangs - hack into the accounts of users with good reputations, sellers who showcase their positive feedback, to ambush bidders.

That's what happened to Pilgrim. On Dec. 16, when he checked his e-mail, he found 18 eBay users wanting to buy camcorders from him. When he tried to access his account, he was locked out - the password had been changed.

He reported the fraud using an eBay message prompt. An automatic response said eBay would get back to him in "12 to 36 hours." He then phoned Raytown police, who said they were not equipped to investigate Internet crimes.

The next morning, Pilgrim called the FBI and the Internet Fraud Complaint Center, run by the Justice Department, which gave him a complaint reference number.

Meanwhile, Pilgrim frantically returned e-mails to as many bidders as he could, warning them of the fraud: "I was concerned that people thought I was the guy perpetrating the fraud."

More than 40 people had responded to the auction. An unknown number had already paid. Craig Rettmer, a Kansas City audio engineer, was one of the unlucky ones who lost $605.

"Kevin [Pilgrim] was quick to tell me he wasn't selling anything," said Rettmer. "I felt like such a fool."

Rettmer and other victims were beguiled by the scammers' slick appearance on the Net.

After taking over Pilgrim's site, the scammers advertised Sony digital cameras at a "buy now" price $200 below retail. The site included technical information and even offered gift wrapping.

"They made you feel very comfortable," said Rettmer, who had been looking for a camcorder to buy as a Christmas gift for his daughter.

In retrospect, the payment directions should have raised a red flag. Bidders were told to wire payments by Western Union to an address in Nurnberg, Germany. Hoping to get his camera before Christmas, Rettmer wired cash. Other bidders paid by credit card and remain hopeful that they will get reimbursed.

Ebay didn't suspend Pilgrim's account until Dec. 18, after the auction was over. By then, the scammers were gone.

Purseglove, of eBay, acknowledges that the auction company appeared slow to react in Pilgrim's case. But he said that was unusual. He said eBay tries to respond immediately to customer concerns.

Internet experts say the increasingly popular auctions have been the target of thieves.

"Certainly the auction sites should have the equivalent of a rapid-response team," said Beau Brendler, director of Consumer Web Watch, a division of Consumers Union, which publishes Consumer Reports.

J.A. Hitchcock, author of Net Crimes & Misdemeanors and president of Working to Halt Online Abuse, said one concern for the auctions is the cost of increasing security.

"Companies like these have grown too big, too fast, and are more concerned with the bottom line than their customers, which is a shame," she said.

Purseglove said two of the more ingenious methods hackers use to crack accounts are:

Sending a user an e-mail purporting to be from eBay asking for private and detailed information, which is referred to a "spoof" site, where it is harvested by the hackers. He said eBay never asks users to provide that kind of private information.

Using robotic "dictionary" programs that surf through accounts trying every word until they find one that works as a password. Use of symbols in a password can help thwart this kind of Internet assault.

Copyright © 2020, The Baltimore Sun, a Baltimore Sun Media Group publication | Place an Ad