Yesterday I received an email apparently from eBay, informing that my account was used for malicious purposes, and I should change my password post-haste. I’m very skeptical of emails apparently from eBay. Normally I delete them without thinking. But this email managed to catch my attention. Here’s a portion of the text:
It appears your account was accessed by an unauthorized third party and used to send unsolicited emails to other community members, including email offers to sell items outside of eBay. It does not appear that your account was used to list or bid on any items. Additionally, the email address on your account may have been tampered with, which is why you may not have received any emails about this activity.At this time we have taken several steps to secure your eBay account. Rest assured that your credit card and banking information is safe on the eBay site. This information is kept encrypted on a secure server and cannot be viewed by anyone.
Click on the screenshot to see that the email is authentic looking. I’ve removed all the naughty bits to protect my identity. To check the email’s authenticity, I tried to log into eBay in a new browser window—not by clicking on any links in the email.
I was unable to log in, as the email explained further. eBay had changed my password after it detected malicious activity. I reset my password after verifying my identity and logged in. In my message inbox was the same email I received externally. Apparently, my account had been used to send “questions” to the hosts of a variety of auctions pointing them to some external website. I checked my sent messages folder within eBay, and I saw 25 messages sent on July 2 to a number of other eBay users.
The account was not used to bid on any items, so I didn’t have to worry about that. I did go through and change all of my passwords as the message from eBay suggested. I’m not happy with this situation, and after being conditioned that all email appearing to be from eBay is most likely spam or someone trying to trick me into entering my password somewhere, I could easily have overlooked this warning.
There are several ways my password could have been used by a hacker. There’s the slight possibility I clicked on one of those fake eBay emails. I find that really hard to believe as I am very careful about such things. One of my computers may have a keylogging program installed on it. My home computer is protected by AVG, which has never discovered any malicious programs running, so either that’s not the answer, or AVG Anti-Virus Free has failed.
Most likely, the password was guessed through software designed to do such hacking. I could have chosen a stronger password to use.
If there’s anything to take away from my experience, it’s that not every email from eBay is fake, strong passwords aren’t strong enough, and even rarely-used accounts with unimpressive stats are targets.
Subscribe
I don’t think I would have ever caught that since I usually automatically just delete any Ebay email as phishing. Probably would have gone unnoticed until I tried to login.
You may want to try pairing up AVG with some anti-spyware tools like Search & Destroy, SpySweeper, and AdAware just to be sure.
Sounds like you do have a keylogger or tracker on your computer the avg program you have wont catch this type of thing go to avg homepage and get their trial of the new avg anti malware i had the normal avg and i had so many viruses on my computer i didn’t know what to do and i contacted avg and they said for me to visit their home page and download their trials and see which one helped and the malware was able to rid my computer of everything that the normal avg didn’t detected i hope this helps you out :)
I recommend closing your Ebay and PayPal accounts (I did recently). Ebay has tremendous security problems, I wouldn’t (and don’t) trust them with my money anymore. My account was hacked in a similar way to yours. And then the winning bidder in my auction was a Nigerian scam. I have a recent entry in my blog with more details. Ebay is not worth the hassle and security risk.
I now use craigslist for buying and selling junk (cash in person). All the small online merchants take credit cards nowadays, you don’t really need a PayPal account except for Ebay.
If you wanted to know if the eBay email was authentic, you can read the complete headers to see if it was really sent by them or spoofed.
Another trick you should look out for with stuff like this is phishers will email you with something like this, and, courteous people that they are, will provide a link that appears to go directly to the login page of your ebay account so you can quickly change your password. But instead, the link goes to their site, so when you login to change your password they’ve got your username and password.
You should purchase the One Time Password utility that PayPal sells for $5 for more security. I think business accounts get it for free.
Yes, this is indeed quite scary. I wouldn’t have caught on for another 2 months when I next decided log into Ebay and found a problem.
How do you think they got it, by hacking ebay, from a phisher email, or by just guessing your password with some hacking software?
There’s a neat little tool from Microsoft.com that I always use when creating passwords, a “Password Checker”, here’s a link! https://www.microsoft.com/protect/yourself/password/checker.mspx
No fun. I forgot I even have an ebay account until they sent me a message reminding me.
I always quickly check most emails even if I think it might be phishy just in case. Stuff like this makes me want to have secureid for everything.
Take a look at Roboform.com. This password protection program is superb! It encrypts your passwords and enters them automatically. It also will create random passwords for you. You can lock it completely by password to the program itself. It eliminates all possibility of a keyboard spy program. It comes in two versions…one for a desktop, one you can run on your flashdisk and carry with you…use it on ANY computer, and it doesn’t leave any data on the computer on which you use it.
I received the same email about a year ago. The most frustrating thing is that eBay won’t tell you how they know your account was hacked because they don’t want hackers finding out how to get around their tactics. The problem is that you as the end user can’t figure out how to better prevent the problem it in the future other than guessing.