Fraudsters abuse eBay customer database
German consumer protection site falle-internet.de reports that fraudsters have found a new trick (German text with screen shots) to cheat eBay users by exploiting functionality of the eBay API to gain access to customer data in the eBay database. The eBay API is available to sellers and external service providers and the members’ names must be known to be able to use them.
Apparently, users receive mails with a "second-chance offer": a bidder who has been outbid by another bidder is offered the same product through a buy-it-now option. However, the apparent buy-it-now link in the e-mail does not lead to the eBay pages, but to a fake site.
If a user clicks onto the transaction button, he is led to a form on the Square Trade trading platform, where the data provided to eBay, e.g., the user’s zip code, city and e-mail address, are entered correctly. Fraudsters use various online tools on hacked web sites to exploit the eBay APIs to view this information. However, some of the tools mentioned by falle-internet.de are no longer available.
Unwitting users might not be able to resist this second chance to bid again and obtain the desired product, and so could be induced to accept such offers. eBay has responded to this problem : for bids that exceed 100 euros (around UK £66), member names are no longer disclosed except to the seller, who can view the list of bidders. According to falle-internet.de, existing tools can, however, help fraudsters to bypass this protection and continue to inspect the information. eBay advises users to ignore any second-chance offers unless the same e-mail has also been sent to the “My Messages” folder, and to complete all transactions through the eBay site.