The Online Shopping Scam That Almost Duped a Security Professional

A great many things have changed in our daily lives since the COVID-19 pandemic began rampaging across the world at the beginning of this year. We have been collectively forced to adapt to working from home, schooling from home, shopping from home, and even receiving healthcare from home. Almost every vertical has been affected by social distancing restrictions, such as the entertainment industry pushing back live performances and filming for movies and tv shows, to sports games and competitions being held with empty stadiums and prerecorded cheer tracks. It is anything but business as usual…unless you are a cybercriminal looking for an open and available target. For these entities, business is popping.

Due to the boosted online presence of the world’s workforce, cyberthreats are more prominent now than they have ever been. Remote access has increased tenfold for organizations internationally which puts them square in the sights of the most aggressive cyber criminals out there. Phishing, online shopping scams, and other social engineering campaigns have increased exponentially and are becoming more successful as the antagonists collect important data on online usage and user preferences. Online shopping is a necessary function for many families and organizations during the pandemic, and those who are perpetrating these scams have taken notice. With a decade of security experience and technical knowledge, even I recently almost fell victim to a phishing campaign. Luckily, my threat knowledge and security awareness won out in the end. Listen to my story, it may help you too.

With the kids doing distance learning away from school, my girlfriend out of work due to her employer going out of business, 3 large dogs rampaging around the house, and the fact that I have usually worked from home myself, the house was getting pretty hectic to say the least. I needed a quiet space to concentrate and do my work, which I consider to be important as it helps my clients improve their information security posture through comprehensive risk assessments and audits. It was time to start looking for a solution. At first, I was thinking about room conversion or a tiny-home office, but both were expensive and not a viable option in the timeframe I needed. That is when a colleague turned me on to the idea of an RV or travel trailer. Mobile, reconfigurable, spacious, and most of all; quiet and compartmentalized. So, the search began for a bargain travel trailer. Not too old, but not too pricey.

I looked on reputable auto shopping websites like eBay Auto, Amazon, and Camping World trying to find the value that was right for me. I came across what looked like an almost impossible deal on RVTrader that piqued my interest. A 29’ 2006 model year travel trailer for only $1500. It sounded too good to be true (usually is) so I decided to inquire, just in case there was a legitimate reason for the low price. The initial inquiry to the seller was done through the RVTrader website messaging platform. Naturally suspicious and regarding the price, I asked “Why was it so low? Were there issues with the unit? What’s the catch? Is this a scam?” The response I received was not what I expected. The seller responded to me simply stating that another interested party had already claimed dibs on the trailer, and she was waiting on their response. She had apparently forgotten to take the listing down. Of course, I thought, “Well dang, I guess it was legit and I was too late.” So, the search continued onward.

After making inquiries on several other units across multiple shopping sites over several days, I received an interesting message on RVTrader. The seller of the 29’ unit I initially wanted reached out, asking me if I was still interested. Well, of course I was! What had changed? The seller informed me that her buyer fell through and could not take the unit, so she was offering it to me. Through some back and forth conversation, she explained that the unit was in top condition, went as far as to provide me with photos on demand, and then garnered an in-depth explanation as to why the price was so low. The seller was in the Navy, lived on base and was about to go to a new duty station at sea. She did not want to store the unit while she was away and needed to offload it quick. Having served in the military myself, I understand and can appreciate the need to cut ties with things that I can’t take with me. At this point, despite her claims of being in the Navy, I had no real reason to suspect anything phishy. See what I did there?

She continued to explain in great detail what Navy port she was currently posted on (it was a real port), what ship she was about to serve on (it was a real ship), in what part of the world she was headed (it was a real place), how the trailer would be delivered to me free of charge through a military moving service (which is a real thing), and how the title would be transferred when all was said and done. Any skepticism I had about the legitimacy of the listing was now completely diminished at this point. It appeared the seller really just needed to get rid of this thing before she left. She did not pressure me to offload it, did not put a time limit on the sale. She just told me her deployment date and that it needed to be gone by then. Even her deployment date aligned with general military rotations. It was the next phase in the process that began to shed light on potential nefarious intentions…

When I was sufficiently satisfied with the seller’s explanations, I was ready to buy. RVTrader does not have its own purchase platform as it is simply a listing site, so I knew I would have to deal directly with the seller to pay and receive the unit. The seller directed me to begin communications over email so we could initiate payment and shipping processes. This was not unusual. Like a purchase made through other similar listing sites, retailers generally setup their own method of funds transfers through third-party providers like PayPal. As we began communicating over email, I was asked for my shipping address and some basic information that she could provide to the military movers. I was comforted that she did not ask me to pay first. Most scammers do and she did not seem like one. I happily provided the information. It was publicly accessible through a Yellow Pages search, and she already had my full name and email address from our email correspondence. Hardly sensitive PII, although PII just the same. When it was time to pay however, things started getting weird.

The seller told me she had also put the listing on eBay which was where she intended to perform the actual sale. This seemed logical as I have made similar listings online over multiple shopping sites for more visibility and transactions capabilities. The seller said she would send me the link to the listing, but while I was waiting for the next email, I started looking for it on eBay myself using the information from RVTrader. It did not come up. I entered every detail I had in different combinations to try and find the listing, ultimately to no avail. I found similar listings, but not the one I was looking for. I emailed the seller letting her know I could not find the listing, now feeling a small amount of suspicion or maybe just angst. I did not receive a reply right away. In fact, I did not receive another email from the seller for another four and half hours. For context, our emails were going back and forth every couple of minutes up to this point. Now I was uneasy, and my small amount of suspicion turned into a general anxiety as I suspected what was coming next.

The email the seller sent me hours later stated that she had accidently deleted her eBay listing and had to rebuild it. She claimed that she created an eBay Auto transaction instead and provided access to it through an attachment. The email contained an eBay related PDF sales order. Red flag time. Now to be clear, Gmail shows previews of PDFs and I could see it was indeed a real PDF. The question was, what else did the file contain? Most unsuspecting buyers would have just opened it due to the candid relationship that was built with the seller up to this point. That is a key bit of info we will get back to later. Being a security professional, and even just having a general awareness of malicious attack vectors, I knew better than to open it. Especially after such a long pause in communication. Granted, I was not overly familiar with how eBay Auto differed from regular eBay, but I had a feeling it didn’t require sales to be done through PDF sales orders. I later confirmed this through a support call to eBay directly. There should be a listing in order to make a sale. My next few actions were key to uncovering a plot.

I decided at this point not to continue direct communication with the seller other than to say, “Ok, let me take a look at this and I’ll get back to you.” I started up a firewalled sandbox virtual machine with active virus, malware, and ransomware detection and used a password vault to log into my email account so that I wouldn’t need to use keypresses. From there, I opened the PDF in Gmail expecting virus prompts to go insane. They didn’t. In fact, performing a manual virus scan of the file and a Wireshark scan of the network activity at the time of download and opening did not reveal any network or system threats at all. It was just a PDF. Was I overreacting? As you can see from reading this, I asked myself a lot of questions during this entire scenario. The questions I asked are important. It is crucial not to be complacent and always question the situation. Well, it turns out I wasn’t overreacting. The content of the PDF became a dead giveaway of an evident scam.

The PDF was well designed. When compared to eBay purchase receipts I had received in the past, the PDF structure, format, and content was almost identical, except for the details on payment. Not to mention, this wasn’t a receipt. It was a request for payment. The document explicitly directed me to a website to open the listing online and make a payment through wire transfer. Another BIG red flag. It detailed how to perform a wire transfer and how to follow the link to enter the relevant details for the sale. The link itself was actually quite convincing. It appeared to be directed to an eBay subdomain, but upon a small amount of research and opening a fraud support ticket with eBay, I learned that the subdomain was not owned by eBay and it had actually been created within the same hour through GoDaddy (reverse DNS and domain searches can reveal this information). Since I was on a secured sandbox system, and with no small amount of curiosity, I opened the link.

Wow. It took me to the end of the yellow brick road. The website link immediately asked me for login credentials. It appeared to be an eBay login page (identical actually, down to the rotating stock images and current deals on the site), but once again, the subdomain was incorrect. So naturally, I typed in nonsense. It “logged” me in with no issues. I was presented with a prompt that my personal information needed to be updated which I clicked on excitedly. I no longer cared about buying the trailer or that the sale wasn’t real. This was now my playground and I was getting an in-depth look at how far social engineering has come, and how far some people would go to get my personal information. The information update screen asked for any PII you could imagine. Full name and address, social security number, primary payment methods, email accounts and more email accounts. It asked for login information to other sites so that I could “connect” them to eBay. I was even asked for photos of my ID or driver’s license for identity verification.

I entered nonsense into all of the fields, uploaded a picture of George Soros for my ID and prepared to click the update button. I paused. What would happen next? A big banner popping up alerting me that I just got scammed? A message telling me ‘all your base are belong to us?’ A thank you for being so forthcoming with my personal information? A redirect to the real eBay page? Nope. Upon clicking the update button, I simply received a simple message that the session had timed out and the window closed automatically. Quite the anticlimactic end to a 4-day journey across the world wide web. I was disappointed for several reasons. I couldn’t buy a trailer at an amazing deal, someone had lied about serving in the armed forces to gain personal information from me, and in the end the scammer couldn’t even provide a decent sendoff for acquiring what they came for. Needless to say, I reported the incident to the FBI, alerted eBay of the fraudulent PDF, investigated the email account and RVtrader listing one more time (the RVTrader listing was gone and the email turned out to be bassbob223@yahoo.com but was spoofed as another name). No harm no foul in the end, but I couldn’t stop thinking about how far this phishing campaign went and how it might have worked on anyone else, despite the disappointing finale.

Folks, this was not a run of the mill phishing scam. This was intricate. It required the use of multiple web platforms. It established the creation of a tailored backstory for a false persona. It demonstrated knowledge and due diligence research of real-world locations and military protocols, and what I thought was most intriguing, a total lack of urgency. Although there was a deadline for this campaign to end, not once did the malicious actor pressure me into completing the process. In fact, at the beginning of the scenario I was purposefully redirected, instilling in me the one thing that most phishers feel themselves: desperation. I was told the sale was going to someone else, so I moved on. Then when the “seller” reached back out to me to see if I was still interested, I immediately felt like I needed to jump on the opportunity before it got away from me. Very clever. Very clever indeed.

Now for the details on how this all worked in the penetrators favor initially, and ultimately in mine. The malicious actor knew I was in the armed forces because my Gmail is connected to my RVTrader account. My email signature shows my full name, my military rank, and military email address. Any time I message someone through RVTrader, it sends it as an email from Gmail as well. The perp used this limited personal information to perform due diligence and begin building a campaign suited to me personally. The campaign was personal. Not broad. The perp figured I’d have a soft spot for other members of the armed forces and built trust with me on that basis. They tried to build a relationship. It worked at first. My email signature also shows that I am a cybersecurity professional which probably made the perp work twice as hard to be convincing. At one point during our communications the perp went as far as to say they were looking for serious buyers only and didn’t want to get scammed, as it had apparently happened in the past.

It was smart of the perp to keep the communication on RVTrader for as long as possible, switching between platforms quickly is suspicious. Waiting until I was sure I wanted to buy the unit was the right play. Things started going south when they paused communication with me for several hours. During the four-hour period we were incommunicado, the perp was likely building out the PDF and the fake domain, and initiating automated information gathering tools for their phishing platform, hoping the whole time that I wasn’t going to dig into it. Claiming that the eBay listing was accidently deleted was a good idea, but it was not good enough. Adding a PDF purchase order was the fatal flaw, and in all likeliness, the perp probably knew it had a 50/50 chance of working but had their fingers crossed. When the whole situation ended, I emailed the perp one last time to let them know I was onto them and that they had been reported to the FBI, along with all relevant domains, reverse DNS data, email accounts and Wireshark logs from my data collection activities on the PII acquisition site. I received one response:

“Wow. Super. Why don't you enroll in the bureau of idiots to eat donuts till you die.”

I think they were upset. That’s how I know I did a good job.

Remember folks, always check email domains, don’t click suspicious links or open strange documents, never enter sensitive information on unverified websites, try to talk to a real person over voice communications, and most of all, always question everything.