ESET Ireland has recently come across examples of phishing attempts in replies to classified ads on Donedeal.ie. However, you’ll come across the same sort of thing as a user of eBay, Craigslist and so on.
The seller may receive an innocent looking message like Is the item still for sale? and if he replies, he’s likely to receive a generic answer such as the example below.
Hi mate, I have looked at it a few times now, and after looking around, I’m satisfied with the great condition but what’s your actual price for it. I love a bargain, so i would like to get it as soon as i can. I would be able to make payment through PayPal, i find it the easiest way to use my credit card safely and is a safe and reliable method of paymentâ€¦ Let me know your price for it . I hope to hear from you soon, and i will make all transportation preparations for the it to be transported to my home. If possible can you send me some recent picture of the item ?
In the case above, the seller was selling a boat, but if you read the reply, the buyer doesn’t mention the boat at all, he keeps referring to it , or the item (or even the it , presumably a typo for it or the item ). This suggests that the message is a generic (i.e. non-specific) reply sent more or less automatically to a large number of sellers of all sorts of items for sale. (A lack of personalization is one of the main giveaways when it comes to most kinds of non-targeted phish.)
Part of the purpose of the scam may be to engage the seller to disclose their online payment account details and other personal information, which the scammers can then use for identity theft, attacking their account and other activities from which they can get financial gain. However, there’s usually a second phase of the attack, where the scammer follows up from another email address with a phishing email appearing to be from PayPal (or Craigslist, or whatever service is being used.) In some cases, the scammer will have asked for a payment invoice request. However, in this phase, the detail of the message will obviously vary widely.
However, a complete example will probably look something like this, albeit with graphics and pseudo-legal textual frills to make it look more official:
Dear [victim's name]
[Service provider] confirms that [scammer's alias] has sent you [agreed sum, often in excess of the amount for which the item was originally offered] for [the item].
[Victim's name] deserves a little clarification. Initial phishing emails normally use something like dear valued customer’ or the victim’s email address because they don’t have access to a real name. (One of the likely indicators of a scam is non-personalization.) In this case, however, the scammer may be able to use the victim’s real first and last name correctly, as derived from the victim’s response to the original phishing message. This may make it harder to distinguish from an authentic PayPal message.
The details of the item and the transaction will be included, to reassure the victim that all is correct. However, there will also be a note to the effect that payment is pending for some fabricated reason (usually to do with security it’s amazing how often security is eroded for security reasons’). The note will state that the provider will not credit the victim’s account until the shipment reference number has been received, in order to protect the buyer from fraud on the part of the seller. However, the odds are that the scammer will receive and sell on the goods without paying any money whatsoever.
There may be a pointer to the real PayPal site, on the assumption that the victim will be reassured by the official look of the message and not seek verification. However, it’s at least as likely that the pointer will be to a cloned PayPal site giving misleading information. In such a case, the scammer not only gets the goods without paying, but may be able to carry out other fraudulent activities before the victim realizes that he’s been conned.
Buyers and sellers through online classifieds should therefore always check the identity of the person with whom they’re dealing with, how safe their methods of payment are and if they’re unsure of anything, they should always check with the service first. They should take advantage of the fact that reputable companies like PayPal offer a means of securing transactions without giving away information that makes it easier for the scammer to pretend to be a service provider. They should take the time and trouble to find out exactly how the service protects both parties in the transaction. And in most cases, we recommend that they link their credit cards rather than their cheque or savings accounts, as they’re likely to get better protection/recompense in the event of a successful fraud.
In the final part of this blog, we offer some more general advice on recognizing phish and related phoul play.
David Harley, ESET Senior Research Fellow
Urban Schrott, IT Security & Cybercrime Analyst, ESET Ireland