17

I would like the community's input on an event that took place recently, that I honestly don't know what do make of:

  1. When trying to watch an item on eBay, a warning notice said my account had been compromised and that the account was locked to prevent abuse.

  2. I wrote an email to eBay and got a response from customerhelp@ebay.com saying:

    1. I must call them by telephone to reopen my account.
    2. The call would take 10+ minutes.
    3. The call would be handled by a person in a specified Asian country.
    4. The email was full of phrases like "Your obedience is important to us".

There's been an explosion of phone fraud where I live lately, and the details above obviously scream "fraud" (confirmed after writing an e-mail to spoof@ebay.com), but what I don't get is:

  1. How did they manage to trigger a "Your account has been locked" message on eBay in the first place? (This warning appeared on two occasions, but seems to have disappeared now.)
  2. More importantly, how did they ever manage to take control over customerhelp@ebay.com? (My email was quoted in their response, which proves their access to this inbox.)

Furthermore, spoof@ebay.com were not very helpful in explaining what had happened or anything. I'm not even sure if I should trust their response...

Update: spoof@ebay.com does not provide any explanation to the incident, despite several requests. customerhelp@ebay.com is still responding in their customary fashion, as if just waiting for me to take the bait. Maybe I should just close my account. It's been years since I bought anything from this ageing dinosaur who haven't changed their design since the nineties and evidently have no control or interest in their security or customers. (PS! A week after writing this paragraph, eBay shows a link to switch to a modernised design. This issue has now entered the twilight zone.)

Below is an extract of the email headers. It also contains a couple of DKIM entries.

From: customerhelp@ebay.com
Received: from mxphxpool1032.ebay.com ([66.211.185.135])
Received: from mxphxpool1004.ebay.com (phxlb238-ext-snat01.phx.ebay.com [10.4.13.31])
Received: from phx8b02c-f396.stratus.phx.ebay.com (phx8b02c-f396.stratus.phx.ebay.com [10.193.75.168])
Message-ID: <***.JavaMail.cronusapp@phx8b02c-f396.stratus.phx.ebay.com>

Update: I just noticed that the communication with eBay is actually shown in "My messages" on ebay.com! Is this eBay communicating after all?? But what kind of customer service writes stuff like "Your obedience is important to us" to their users and needs a long International phone call to verify accounts? Outsourced customer service? Or even, outsourced customer service gone rogue dashed off with bad English and cultural references incomprehensible to the western world.

It’s been half of the Year, a Blessed day to you and your family!

Thanks for getting back to eBay Customer Service. I know it wonders you how long will the Identity Confirmation take. My name is Lester(*), don’t worry, I will do my best to help you today and give helpful tips when reaching us over the phone.

First off, I want you to know that it makes me happy personally that you have lent us time by talking to us over the phone and for being open-minded. Your obedience and resourcefulness are really important for us.

We are located in the Philippines at the same time I have to tell you honestly that we will not be able to disclose the exact location of any of our representatives. This is due to security measures and practices.

And I believe that ATO calls will take less than 12 minutes. This is as long as the questions that needs to answered will consistently delivered.

(*) - The name changes for every email.

forthrin
  • 1,741
  • 1
  • 13
  • 21
  • 4
    Did you copy-pasted their email address? Otherwise, it may be a [domain name homograph attack.](https://en.wikipedia.org/wiki/IDN_homograph_attack) – Yuriko May 09 '18 at 11:29
  • 1
    @Yuriko: Their email (which I responded to a couple of times) exclusively contains the ASCII characters `@ebay.com`. Furthermore I use a primitive terminal-based email-client, which actually refuses to send email to domains containing non-ASCII characters. – forthrin May 09 '18 at 11:37
  • When you say your email was quoted, is it the content of the email you sent to eBay in the first place, or your email address? And could you give more information on that warning notice? – Yuriko May 09 '18 at 12:03
  • "I wrote an email to eBay and got a response from `customerhelp@ebay.com`" Did you literally type "customerhelp@ebay.com" in your email program and they literally quoted from the content of that email? – Arminius May 09 '18 at 12:09
  • 1
    now thats really intricating indeed... – DevMoutarde May 09 '18 at 12:20
  • @Arminius: I wrote back and forth several times with customerhelp@ebay.com. The entire content of my email was quoted. The email headers (Received, DKIM, etc.) seemed legitimate, though I guess this can be spoofed. Unfortunately, I don't remember the specific wording of the warning, but it came up when trying to do things like watch an item. Does anyone know if 1) eBay actually has a account freezing mechanism like described, and if 2) they actually require users to phone in and answer questions for up to 10 minutes to reopen accounts? – forthrin May 09 '18 at 13:10
  • I don't know then. Would it be possible that the `reply-to` field was set? (While the `from` field spoofed eBay's legitimate email address.) – Yuriko May 09 '18 at 15:58
  • 1
    One thing you might not have considered is eBay may have a function where you can contact a seller by using their handle. For example if my eBay handle was ojblass and I registered to the site you may be able to contact me at ojblass@ebay.com. There are a lot of variations of customerhelp@ebay.com, help@ebay.com, sales@ebay.com, or accountlockout@ebay.com. Too many variations for eBay to consider. My guess is that they triggered the account lockout on your account and send you an email from an internal system that eBay has to connect sellers to buyers that is not widely known. – ojblass May 09 '18 at 17:02
  • @ojblass: Good theory, but does eBay in fact let people create their own ebay.com address? I couldn't find any information on this, and I doubt they would let people do this. Maybe a remnant from the site's infancy? If so, I would shut down this feature on the hour. PS! There was no Reply-To field either. – forthrin May 10 '18 at 07:12
  • 1
    Somebody notice ebay doesn't have an email support contact https://community.ebay.com/t5/Member-To-Member-Support/Messages-to-customerhelp-ebay-com-don-t-go-thru/qaq-p/26657557 – mootmoot May 17 '18 at 10:04
  • @mootmoot: Well, I *do* get responses, though of highly doubtful nature. So how do I understand this? eBay stopped their email support, and now someone is hijacking their obsolete email addresses for fraudulent purposes? How do I tell eBay about this, since they don't care to read email? I don't use social media, and I don't intend to spend a single cent on International phone calls to help this ignorant fossil. – forthrin May 17 '18 at 11:28
  • It will make everything easier if you just provide us all the reply email header (by masking your personal details) , post it here or paste it into pastebin (give us the link here). The malvertisment on the screen make collect enough info to let it avoid responding to "uninvited guest" (otherwise some security researcher already publish their own finding. ) – mootmoot May 17 '18 at 11:53
  • could you elaborate on 'I wrote an email to eBay'? Where did you get an email address to send email to? in that 'warning notice' or somewhere else? – averasko May 21 '18 at 17:43
  • @averasko: I think it was here: https://ocsnext.ebay.com/ocs/cuhome > Account Security > Someone has used my account > Email us – forthrin May 21 '18 at 19:16
  • Is it possible your "terminal-based email-client" has been replaced with a malicious one? – bobuhito May 21 '18 at 20:55
  • Google seems to suggest that customerhelp was a legit address, at least in the past, but support has always been questionable. So that might still be a legit account, possibly now with even worse outsourced support. But if I go to ebay.com > help, and I scroll down, I only have options to contact them by phone, so that's probably the way to do it. I see that with "call us" they give you a one-time passcode to identify you, so you won't have to provide info. I would contact them in this official way to settle the issue. – reed May 21 '18 at 21:36
  • It would be really helpful if you posted the _entire_ contents of the emails, including headers. – forest May 22 '18 at 04:35

1 Answers1

1

You have taken a sensible set of steps to resolve the matter yourself. Kudos for not getting stung.

However the main indicators of an issue you are reporting here seem to be related to the content rather than the technology.

a warning notice said my account had been compromised and that the account was locked

That may have come from eBay as a result of an attackers actions or it might be part of the attackers ploy. Did you check you were using HTTPS? Did you take a note of the details on the certificate? Did you compare them with the details when you log in from elsewhere? What browser were you using?

I wrote an email to eBay and got a response from customerhelp@ebay.com

What email client did you use (subsequently answered partially in comments)? Where did you get the address you sent the email to? Was the address you sent the email to the same as the From/Reply-to address on the response? You did say the response quoted your original email which is significant. Including the full headers from the response here might have been useful.

I must call them by telephone to reopen my account.

Was it a toll-free number? Did you try to verify the number appeared on the eBay site using a different computer elsewhere? Did you try googling the number (again, on a device elsewhere) to see if anyone else had come across this?

fraud [...] confirmed after writing an e-mail to spoof@ebay.com

I hope your correspondence with spoof@ebay was initiated from a different device. In this instance it would appear that your email to them was not diverted, but if you suspect that an attacker might be able to subvert one @ebay.com account, then its reasonable to assume that all the correspondence to that domain may compromised.

How did they manage to trigger a "Your account has been locked" message on eBay

I have no idea. I think its more likely that they found a method of triggering this behaviuour at ebay rather than a MITM/MITB attack against your HTTP session. Organizations tend not to publish the secret sauce recipe by which they identify fraud. But it may have been as simple as typing in the wrong password lots of times.

how did they ever manage to take control over customerhelp@ebay.com?

They don't need to.

It might be sufficient to control any of your device, your router, the router at your ISP, the mail server at your ISP, the DNS server at your ISP. It is also possible that the ebay mail service has been compromised. Many large organizations outsource their support to the cheapest call centre. So even when you are corresponding with the designated eBay support people, you might not be corresponding with people employed by eBay. So in addition to the servers/routers at eBay, and the servers/routers at the call centre, I think its reasonable to include actions by rogue agents currently or formerly employed by the call centre as potential candidates.

While the DKIM and partial headers suggest that the fraudulent responses were routed via eBay's servers, there is not enough information here to prove that is the case. There is enough information in the original email to prove if this is true.

symcbean
  • 18,278
  • 39
  • 73
  • This rather highlights that while we have lots of clever ways for machines to identify other machines, but the only thing we can do to help humans identify machines is put a picture of a padlock in a browser. – symcbean Jun 06 '18 at 15:44