EBay has helped to shut down a Russian website that was offering to sell stolen customer account information for as little as US$5 each.
Armed with an eBay customer's login and password, a fraudster could post items for sale, collect payments and then never deliver the goods. The site was also offering to sell a handful of PayPal accounts.
Security vendor Sunbelt Software reported it to eBay, which worked with the local ISP to have it taken offline, an eBay spokeswoman confirmed. She couldn't say how many user accounts were offered for sale or whether any customers' accounts had been misused.
The site probably collected the information through phishing attacks or a Trojan horse virus that plants keylogging software on users' PCs, said Alex Eckelberry, president of Sunbelt.
Attempts to harvest and sell such information are fairly widespread, he said. "It would make the hair on your neck stand on end if you knew," he said.
The site preferred accounts that were used infrequently, meaning a user would take longer to notice any suspicious activity, and asked a higher price for accounts with good feedback ratings. Prices ranged from $5 to $25 per account.
"We're in contact with law enforcement to track down the perpetrators and we're going to vigorously pursue this investigation to ensure they are prosecuted," the eBay spokeswoman said.
A check on the Whois database showed the website was registered in December 2005, allegedly to a company in Cypress, California. There was no reply Friday at the phone number provided, although the site's creator would be unlikely to use real contact information.
EBay reiterated its guidelines for customers to avoid having their data stolen: Be extremely wary of e-mail that ask you to update personal account information, download eBay's toolbar with software that detects fraudulent eBay and PayPal sites and report suspicious e-mail.