Email Scams and Auction Hacks

Email hacks, Auctions, Paypal, and how to avoid a deadly combination of trouble

As a tech provider and security consultant, I try and provide the best advice possible to my friends and clients, but sometimes even I become "victim" of a potential or flat-out breach in security.  I will begin this post by reminding you that passwords MUST be changed often, be complex as possible but still easy to remember, and not be re-used for different purposes. 

With this out of the way, I would like to describe a recent scam that has been making its way through the Internet, using e-mail accounts as its primary entry vector, and using Paypal and the auction site SWAPPA to facilitate its processes.  What I have seen, and what I believe happens, in sequence is this:

  • A hacker gains access to your e-mail account.  He or she does not delete or modify anything related to your mail, but instead adds filters to your account so as to re-direct messages from sites like paypal.com and a popular auction site like swappa.com to THEIR e-mail instead.
  • He then tries to log in to Paypal, using the e-mail account he just "modified" and add a shipping address of his own to the account.
  • Finally, he sets up an account on www.swappa.com and purchases big-ticket items with the Paypal account to which he just added his address.  Because the e-mails associated with both Paypal and Swappa are now being redirected and possibly trashed, the original owner of the e-mail account OR Paypal account does not notice this until it is too late.

The first thing to do right off the bat is to check your e-mail accounts for any added filters that redirect @paypal.com and @swappa.com to another e-mail address and/or to your trash.  Then, change your e-mail account's password.

Next log into PAYPAL and check the account for any unauthorized activity (sadly, anything you see as purchased or completed may be difficult to trace back or get refunded, unless you can convince Paypal within 45 days that this was a fraudulent transaction.

As a third step, you may want to visit swappa.com and see if any e-mail accounts are registered.  Reset any passwords, and delete any profile information and mailing addresses, so even if the account is attempted to be used again it will be more difficult to do so.  As far as I can tell, you cannot delete your Swappa account, but you can change the name to read something like UNKNOWN USER, or DELETE ME.

FINALLY, on both your e-mail account, PayPal account, and any related account, enable TWO FACTOR AUTHENTICATION (2fa) using an authenticator application that you run on your PC or mobile device.  It used to be important to have a phone number or secondary e-mail to be used as a second factor, but as these are now easily spoofed, the ONLY foolproof 2FA method at this time is one that requires physical access to a secondary device, answering challenge questions that you set up* or using an application that generates a random code that expires after a short time.  Google Authenticator and Symantec VIP Access are two such applications that work for this purpose.

*regarding the answering of challenge questions -

1.  DON'T ANSWER SIMILAR QUESTIONS OR SET THEM IDENTICALLY ON SOCIAL MEDIA.  As memes travel through Facebook, Instagram, and Twitter, they serve as nothing more than a means for the original poster to gather as much info as possible on the respondents. 

2. YOUR ANSWERS TO CHALLENGE QUESTIONS ONLY HAVE TO MATCH AND MAKE SENSE TO YOU.  THEY DON'T NEED TO MAKE SENSE TO ANYONE ELSE.  For example, typical challenge questions are "what city were you born?" or "where did your parents meet?"  In most cases, nothing prevents the answer to the "where" question from being something like Mars or Venus, or answering your favorite color as "Summer" or "Bushes"

Here is information on setting up two factor authentication:

YAHOO MAIL: https://help.yahoo.com/kb/add-two-step-verification-extra-security-sln5013.html
HOW TO RECOGNIZE A HACKED YAHOO ACCOUNT: 
https://help.yahoo.com/kb/recognize-hacked-yahoo-mail-account-sln2090.html
GOOGLE: https://www.google.com/landing/2step/
PAYPAL: https://www.eff.org/deeplinks/2016/12/how-enable-two-factor-authentication-paypal