Vladuz first came to Dotyou.coms attention a few weeks agoValentines Day, as a matter of fact. Dotyou had written some RSS tools to track scam auctions. First, they manually identified the improper English typically used by non-native English-speaking scam artists. The listings with bad English had another consistent feature: They tried to lure buyers into contacting them outside of eBay, through an e-mail address at Yahoo or Hotmail, for example, and then asked that the buyers pay them through Western Union. Using the bad-English phrases in one RSS stream and cross-referencing the non-eBay e-mail addresses in another RSS feed keeps the list of bogus sites current, Livingstone said. Using this list, they kept track of hijacked seller accounts and were tracking some 30 to 70 accounts per day. Each account, however, would typically post from 70 to 200 expensive items, to make as much use of the hijacked account as possible before eBay would shut it down.The trend culminated with Vladuz temporarily unveiling his auctions to the public, she said. Instead of putting up fake auctions, he began to inject legitimate auctions created by real sellers, updating the auction with big "EMAIL ME" statements. The typical hijacked auction on Feb. 14 looked like this listing, with a "Buy It Now" message luring buyers to a Gmail address. Phishers cast bait for bigger catch. Click here to read more. Whats alarming about the new trend, Livingstone said, was that it went beyond fake listingsa "regular Romanian modus operandi"that were the result of successfully phished legitimate accounts and, through a security hole or a tool, entered a new level of sophistication, picking up on real auctions and modifying them. As of Feb. 5, Dotyou.com was in the process of updating an archive of what Livingstone said are live Vladuz auctions, identifiable by his signature toward the bottom: his handle spelled backward, as zudalv. TAGs Baldwin said that Vladuz first came to her attention through his sale of eBay hacking tools. She saw that somebody on a chat board posted a tale of having been offered the chance to buy a tool called Second Chance Offer. The modus operandi of the tool was to contact an auction bidder who came in second and therefore hadnt won whatever he had bid on. Second Chance offers to sell the bidder a similar item, but in this case, Vladuz appeared to have created a tool that allowed the user to look as though the e-mail was coming from eBays e-mail system. Actually, the tool creates fake offers, a way to coax a buyer into making a payment and receiving nothing in return. Baldwin searched for any reference of the Second Chance Offer tool and came up with a company called SGI Enterprisesa name to which the handle vladuz was connected. She started tracking postings of vladuz back to 2002, finding postings on Chinese hacker sites. Then Vladuz e-mailed her, offering a look at his or her new tool. It was posted as a Firefox plug-in, Baldwin said, that would automatically decipher and type in the text encoded in a garbled image file. eBay denies that Vladuz has anything but old screenshots of the back ends of tools eBay created and used. "He didnt have accesshe pulled screenshots," England said. At this point, Vladuz is shrouded in an aura of invincibility. eBay watchers, almost superstitiously, point to his ability to "cherrypick accounts" according to a certain patternusually those with a medium amount of feedback that are fairly inactive. News accounts have referenced his ability to offer up hijacked accounts in sequential order as proof that he has access to eBays internal databases. Thats taking it a bit far, said Dave Jevans, chairman of the Anti Phishing Working Group. "There are of course automated phishing kits, and they are becoming both more sophisticated and widely available," he said. "However, they typically mine eBay auctions and find user names, and then send e-mails or Second Chance rebid opportunities to those people. Thats the only way I can see that automated harvesting would work." Click here to read about the role of the "money mule" in phishing. The sequential order of hijacked accounts is typical, he said, when phishers batch-process information and offer it for sale. Still, given the range of brazen hacks to which the name is attached, Vladuz is scary, and eBay is hot on the Romanian spammer/phisher/hackers trail. England said that eBay has spent the past few months tracking the crook, working with Romanian law enforcement. But although Vladuz is known as a "career criminal" in Romania, she said, theres no guarantee he or she will be found and prosecuted soon. Thats due to differences in laws surrounding IP tracking, for example, but also due to a lack of resources in a country such as Romania. In an impoverished country such as Romania, money talks, Livingstone said. On that point, England agrees. Back in 2002 when eBay was dealing with a separate hacker issue in Romania, the police knew where the criminal was, she said. Unfortunately, he was some 30 to 40 miles away from the station, and they couldnt afford the gas to go get him. eBay was more than happy to lend a helping hand. Editors Note: This story was updated to include more information on Vladuzs reported activities.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
But in 2007, Dotyou noticed that the hijacked accounts were only running one auction per hijacked seller; the frugality had disappeared. "It appeared as though something [had] changed," Livingstone said in an e-mail exchange. "As if there is [a] larger and larger pool of available phished eBay IDs so the scammers do not need to be frugal with them any longer."