Please see Question 253108 on the ebay scam that, in this case, may
not have done very much damage.

But, assuming that there are 24 million ebay customers (not all in the
US of course) and that spam is supposedly shipped out literally by the
million ...

How many of the recipients are likely to have responded to the
'Official Notice'? And how many of these would have provided the
information requested?

An intelligent guess is all I am looking for ... And, please remember
that the email was in English and was directed mainly at US citizens.

---

Request for Question Clarification by politicalguru-ga on 08 Sep 2003 09:23 PDT

>It would be good if there was some place where these could be
reported
so that the sites could be shut down double quick.
 
Except from alerting eBay, you could contact various organisations and
bodies, fighting against spam or web-criminality.

As for the figures, like Morris, I believe that many fall for that.
Ebay themselves stopped writing links in their posts to users, because
of that.

There are some details here:
http://pages.ebay.com/help/index_popup.html?confidence=spoof-email.html

I could probably bring up an estimate of people who suffer identity
theft of various kinds. Would you like that?

---

Clarification of Question by probonopublico-ga on 08 Sep 2003 09:59 PDT

Hi, Political Guru


That would be great!

Many thanks ...

Can you break it down by country?

And find Victor Grayson alive?

Kindest regards

Bryan

Dear Bryan, 

Auch! That nudge hurt! I took a deep breath, stopped being such a
chicken, and researched an answer for you.

Indentity theft through the Internet is a serious problem in the past
few years, and despite enforcement efforts to decrease the phenomenon,
or attempts to educate the public on the problem, its scope is
actually increasing.

There are different estimates on the number of people who actually
fall victim to identity theft.

"Statistics show that identity theft has moved well past the bud stage
to reach the level of full-blown weed infestation in recent years. The
number of U.S. consumers that complained about some sort of identity
theft nearly doubled to 162,000 last year, according to the Federal
Trade Commission. And government figures only scratch the surface,
technology analyst firm Garter said. Gartner estimates that 3.4
percent of U.S. consumers--about 7 million adults--have been victims
of identity theft of some form in the past year." (Source: Gilbert,
Alorie, "Tech firms band together on ID theft" CNET,
<http://famulus.msnbc.com/famulusgen/cnet09-03-053502.asp?t=CNTEK>).

Only a few days ago, Jay Lyman of the TechNews World, reported on an
FTC report "which revealed more than 27 million victims of this crime
[identity theft, PG] in the last five years, did not differentiate
Internet-related ID theft from standard ID theft, but experts agreed
that perpetrators are leveraging technology  to commit this kind of
offense today." (Lyman, Jay, "FTC: Identity Theft Worse Than
Estimated", TechNews World,
<http://www.technewsworld.com/perl/story/31498.html>).

You have asked, how they extract the email addresses of users in order
to spam them. Apparently, there are two main methods they use. The
first is to hit "blindly" with the "regular" mailing lists that
spammers get a hold of. I got recently a mail from a US online bank,
that asked me to change my passowrd. I am not a customer of that bank.
The other, is related to the fact, that eBay users could once present
their email as their user name. In addition, in a bug that occured on
November 13th ,2002, emails were presented for few hours next to the
user's name in auctions (Festa, ibid). Quiet appropriately, this fishy
kind of scam (sending an email, requesting for private information,
and setting up a spoofed page, as in your case) is called "Phishing".

The scammers make an increasing usage of "open proxies", that enable
them to disguise the real source of the email: "SurfControl says that
spammers have grown increasingly clever, discovering how to tap into
the computers that companies use to give their employees access to the
Internet. By breaking into these "open proxies," the spammers can
disguise the origin of their e-mails, making it nearly impossible for
law enforcement to go after them. According to research from the
University of Oregon Computing Center, the number of identified open
proxies mushroomed from 1,000 in October 2002 to 100,000 in April
2003." (Source: SHELLEY EMLING, "'Spoof' e-mail scam spreads", Atlanta
Journal-Constitution: July 9th 2003
<http://www.ajc.com/business/content/business/0703/09spam.html?urac=n&urvf=10631835937370.16309632867670043>).

Ebay works in cooperation with the American "Federal Trade Commission"
against spoofed site (Gilbert, ibid), and the problem is actually
highly common in attacking high profile companies, such as CitiBank,
AOL, and others (See: Paul Festa, "Identity thieves strike eBay" CNet,
<http://news.com.com/2100-1017_3-966835.html>). They also formed a
coalition, with other victims, to act against it (Jay Wrolstad,
"Coalition Targets Online Identity Theft", NewsFactor Network,
September 3rd, 2003,
<http://www.newsfactor.com/perl/story/22209.html>).

Naturally, eBay is not too keen to expose hard numbers on identity
theft through spoofed eBay sites, and it might also be inaccurate in
any case (since some people are not aware that they have been scammed,
or report it to other bodies). An eBay spokesperson "could not
quantify the extent of ID theft at eBay" (Wrolstad, ibid) but also
admited to gowing concern regarding the issue.

The FBI also doesn't reveal how many people complained on being
phished: "The FBI is investigating specific phisher sites, said Keith
Loudreau, chief of the bureau's cybercrime division. He declined to
reveal the number of active cases but said ongoing investigations led
the FBI to suspect Internet users in Russia and other former Soviet
republics.
    Mr. Loudreau said the FBI is taking reports of phisher sites
seriously because tracking down those involved in identity theft is
part of the bureau's efforts to stop terrorism. He said terrorists are
known to use stolen information to obtain driver's licenses and other
documentation.
    The specific number of complaints about phisher sites is not
known, because the FTC and FBI do not break down complaints of
identity theft by type." (Source: Tim Lemke, "Internet scammers go
'phishing'", Washington Times, July 22, 2003,
<http://dynamic.washtimes.com/print_story.cfm?StoryID=20030721-103626-2915r>).
 
According to the Lemke article, this is not so common: "Mr. Baker,
from Earthlink, said phisher sites are relatively rare. And he said
the majority of Internet users do not fall victim." (ibid).

eBay users could be exposed to other kinds of frauds. A user could
claim that something is "authentic", when it is actually a fake
(highly popular with designer items, such as Gucci or Prada
bags/shoes), or not send the item they been paid for. Hackers also try
to crack passwords of eBay users, using a "dictionary" of common words
(See: Troy Wolverton, "Hackers find new way to bilk eBay users" CNET 
http://news.com.com/2100-1017_3-868278.html>).

A guy called Matthew Bright runs a site that might interest you:
Millersmiles Online, <http://www.millersmiles.co.uk/> - guides to
spoof email & spoof web pages (in eBay and PayPal).

There is also a site called "Fight Identity Theft", that has lots of
information for victims and watchmen alike 
<http://www.fightidentitytheft.com/>.

I hope this answered your question. My search terms: 
phishing "number of victims OR people"
phishing ebay "number of" 
phishing ebay number
phishing ebay 
"identity theft" "spoof OR spoofed" ebay "number of"
"identity theft" spoof ebay "number of" victims 
"identity theft" ebay "number of" victims 
"identity theft" ebay "there are" victims 
"identity theft" ebay "there are" 

As always, you could contact me if you need clarifications.

---

Request for Answer Clarification by probonopublico-ga on 10 Sep 2003 04:05 PDT

Not a Request, just a Big Thank You. (Or should I say Big
Dankeschoen?)

Your stuff looks great but I don't have time to read it right now 'cos
I've got a microfilm reader booked for 1 p.m.

In case you wondered, it's just turned noon where I live.

Kindest regards

Bryan

---

Clarification of Answer by politicalguru-ga on 10 Sep 2003 06:01 PDT

Dear Bryan,  

You're welcome. 

Careful with your eyes, though. My husband spend last week with
headaches after spending his time with some microfilm clips.

Hi, PG

You have surpassed all my expectations, again.

Very many thanks.

Bryan

Hi there!

What a brilliant answer Sublime1 gave to your original question.  Very
impressive.

Unlike the scam.  You ask how many might have responded - and frankly,
I have no idea.  But if the message went to just 1% of the 24 million
ebay customers you note, then it went to 240,000 customers, and if
just 1% of those customers responded then the scammers got 2400
replies.  I doubt that all were as suspicious as you - so let's say
50% gave personal details.  What a coup.  Ouch!  1200 victims giving
up their IDs, their ATM pins, credit card details...?  What couldn't a
villain do with that sort of information?

Not having seen the message (I am not an ebay customer) - do you think
they actually got the ebay mailing list, or was this a general mailing
which would find some ebay targets and a lot of mis-hits besides?

Interesting question, interesting problem.

Best, r2l

I received a scam letter from an eBay impesonator late last week. The
page it linked to was a form where the user could input his/her credit
card number, PIN number, mother's maiden name, Social Security number,
etc. -- all for "confirmation" purposes, of course. Of course, I
didn't fall for it, but I also wondered how many people did.  By the
way, this particular page was hosted in Saudi Arabia.

I also got the e-mail a couple months ago, took me a while to figure
out the @ business. I believe that a fairly high number of people
would respond with their information, for the same reason that scam
telemarketers door to door window salesmen make a living. When the
numbers are large enough, some number of those targeted, whether
highly intelligent or not, will be suffering from some mental
impairment - the onset of senility, the death of a loved one, some
workplace or relationship stress or anxiety that renders them
vulnerable. When a person in pain is confronted with such seeming
trivia as confirming personal information or a buying on installment
decision, they may be numb to the consequences and not care enough to
recognize the scam for what it is.

That's my long way of saying, "thousands, if not tens of thousands."

Hi, r2l & Mvguy

No, it certainly wasn't an ebay mailing list, it was spam because it
came to me at an address that I don't use for real stuff but it
produces loads of junk.

Also, because I live in the UK, it was poorly targeted: we don't have
Social Security Numbers here and I doubt if these are as significant
as in the US.

Yes r2l ... if it 'only' generated 1200 responses (I like your logic)
then it was certainly a coup because (I believe) junk mail only costs
£150 per Million.

I've now seen other references to this form of attack (which is known
in the trade as 'spoofing') so it's not new.

It would be good if there was some place where these could be reported
so that the sites could be shut down double quick.

I wonder how many people actually report these things ... even if they
realise that they are scams? (I know that's a further question.)

Great comments.

Many thanks!

Bryan

Hi, Morris

Didn't see your Comment previously.

Many thanks.

Bryan

Hi Bryan,

I didn't see this particular email, though I'm a regular Ebay user,
and also have several email aliases that I s'pose could have been
used.  Thank goodness they weren't.  I too was impressed with
Sublime1's answer, and very glad you didn't fall for the scam.

Interestingly enough, I got a very similar thing from someone
purporting to be Earthlink, my ISP, not once, but twice.  They claimed
my account was about to be closed because my credit card information
wasn't up to date, etc. etc. and were requesting all that same kind of
proprietary information.  Their link went to a website that looked
*exactly* like Earthlink's home page.  Very spooky.  However, like
you, I was suspicious and didn't give out any information.  I just
*knew* something wasn't right, so I sent it to the "abuse" department
at Earthlink with the request they look into it.  Then I logged onto
my account at the regular Earthlink site and verified that all was in
order.  Guess I wasn't the only one - since they now have a service up
at Earthlink where anyone receiving a suspicious email can enter the
link into the box and find out instantly if it originated with
Earthlink or not.  I wonder if Ebay might be interested in providing a
similar service?  Check it out here: http://www.earthlink.net  The box
should be up in the upper right of the page.

Also, as far as reporting, I think most large companies with an
internet presence have an address similar to "abuse@xxxxxxxx.com"
where one might direct a "heads-up" email about it.

Cheers,
Byrd

Hi, Byrd

Many thanks for your Comment.

I've had a look at Earthlink, as you suggested, but I guess that their
gizmo could also be spoofed.

Scary, isn't it?

Bryan

Hello again, Bryan, 

I just realized I gave you the wrong link to check out the new "help
box" for fraudulent websites. It should've been:
http://support.earthlink.net/  Anyway, yes I suppose that too could be
spoofed.  Scary is right! One thing I remember, though, was the link
the crooks gave was to earthlink *dot com* rather than *dot net.*  A
small difference, and with the proliferation of "dot com" websites,
not one likely to be all that noticeable.  I imagine there are similar
ploys in use.  I guess I was thinking that by deliberately going to
the correct "*dot net* site, we wouldn't be diverted to a spoofed one.
 Would we?  We all need to be on guard, that's for sure.

Byrd

Hi, Again, Byrd

Many thanks for your further posting.

I guess that when we communicate with someone that we (apparently)
know and trust that we are not on the lookout for small
inconsistencies until something hits us in the face.

Regards

Bryan

Hi y'all...

Thanks for the praise, r2l & byrd...  : )
People have been wondering about good places to report spam.
The two that come to mind are SpamCop.com
http://vww.spamcop.com/   (the 'vww' is not a typo),
and the news.admin.net-abuse.sightings newsgroup:
http://groups.google.com/groups?hl=en&group=news.admin.net-abuse.sightings

The latter site is especially useful in checking the validity
of suspected spam emails. Since it's searchable via Google,
you can search for the email header, the sending email address,
or some text from your message. Since people post the spam
here as quickly as they receive it, it is pretty up-to-date,
and a good resource.

sublime1-ga

Hi, Again, Sublime One

Many thanks for your Comment.

On your recommendation, I've now got the trial version of Spam
Inspector.

You won't believe that, yesterday, one cheeky spammer offered me
something that was supposed to stop spam!

Bryan

Hello, again!

I see that no-one is brave enough to risk a definitive guestimate to
the original impossible question, but you've got a good discussion
going.

You might want to know that T.S. Eggleston, aka the Eggman, offers a
goodly number of links to scam and scam-busting sites, including a
list of "Places to Report Spam, Fraud and Abuse of All Kinds" at
<http://www.the-eggman.com/writings/spam_hoaxes.html>  It's not an
exhaustive list, looks as if it may be US based or biased, but it's a
still a goodly listing.

Meanwhile, Scamorama <http://www.scamorama.com/> and the Nigerian Scam
Baiting <http://www.geocities.com/a_kerenx/> pages offer another
point-of-view, oft times satirical and including examples of stringing
the scammers along and seeing how much of their time you can waste.

Fun indeed, but the sad fact is that many people really are caught -
just type "scam" into the Google Answers search box to see some real
examples of people who have been caught out.  It's not just an
internet thing, of course, scammers and confidence tricksters have
always been with us - how many people have bought Brooklyn (or London)
Bridge over the years, how many people allow bogus meter readers into
their homes, just know which of three cups the peanut is hidden under?

A good guide is often, If it sounds too good t be true then chances
are it isn't - but that does not work with the meter reader, nor the
ebay ID scam.  There are, as morris points out, people who are just
too gullible for their own good, flustered, too distressed to think,
overawed by (apparent) authority or by the apparently all-seeing power
of the internet - just click here to open this unsolicited email
attachment...

Sorry, I'm soap-boxing. Your impossible question: is it possible to
know how many victims of fraud there are when the victims may not even
know they, and their credit cards, have been defrauded, their
identities stolen...?

r2l

Hi, r2l, Again

Great comments. Many thanks.

Could you please give Political Guru a gentle nudge?

I thought she was going to produce an answer ...

Kindest regards

Bryan

Hi again, Bryan...

mvguy-ga has duly nudged politicalguru, and I'm sure she'll
be with you when she's able to recognize that the nudge is
*not* part of the dream she's having.

I also wanted to say that, perhaps depending on the email
program you're using, the 'mail rules' that Spam Inspector 
installs into your email program will remain after, and if,
you decide to uninstall the trial version before purchasing
it. This is true in Outlook Express, and I expect it is
likely true in other email programs, as well. This will
serve to maintain the rules that were set up, and continue
to block spam to a large extent. Given that, you might want
to tweak the rules using Spam Inspector's options for doing
so, prior to uninstalling it, should you decide to do so.
After removing it, tweaking them will only be possible by
using the email program's interface.

Just thought you'd like to know...  : )

sublime1-ga

Hi, Sublime One

Many thanks for your further advice.

However, I am inclined to purchase Spam Inspector.

I've got another question for you, later.

Regards

Bryan

PB - Thanks for the tip and rating. PG.