Skip to main content

Local Classified Penny Auction Scam

While there are a lot of new posts regarding the new ways to exploit people using novel techniques and 0day exploits, there continues to be a rash of tried and true methods of coercion.  I want to just walk through a simple example and reflect on how effective these methods continue to be.

Many people turn toward online classified sites to buy and sell items online.  This example starts with which even I've used on occasion to find used electronics and other items.  Doing a search on the site for a "Samsung Galaxy Note 2" returns a posting from today with someone selling one for an unreasonably priced unit.

$125 for a $500 phone?, but what if it's for real?  No harm in just asking some simple questions.  Email sent with some obvious questions regarding the condition and location.

About an hour passes before I get a response from what appears to be a legit seller.

Notice no answer to the questions I asked, but a friendly pointer at where the unit came from and how I could get one for the same price.  What is though?  Well this online penny auction site claims to allow for purchases way below the value of the items being sold.

Including a not-so-obvious but intentionally generic newsreel video.

That's when I get the second email from another email account with the exact same content and a link to a different URL but same exact site.

Ok so even now I'm suspicious and I do a little digging into the DNS registration information, YouTube account posting the videos and the posts on Kijiji related to the items.  All appear to be somewhat anonymous and scammy.

Switching mindsets to that of the people behind this scheme.  What might be going on here?  Here is one likely scenario:

  1. The scammers setup the fake bidding site and youtube accounts and probably twitter and email accounts too.  Including fake items and auctions.
  2. They post a few ads on local advertising sites for desirable items for too-good-to-be-true prices.
  3. Setup a script to auto-reply to inquiries about the items from legitimate buyers with links to the scam site.
  4. Ask for registration from the user which includes an email address and password.
  5. Use this email address and password to attempt to access the email provided.  Any that work add them to the list of people that scam messages are sent from.
  6. If the user is gullible enough to bid and pay for items using a credit card or paypal, this is free cash.
  7. Wait a week or two then switch to another email address, URL, payment gateway etc
  8. If the scammers were really nefarious they could also extract all of the email from the user and likely use it to conduct additional fraud or ID theft.

Simple scams like these are obvious to critically minded people, but with so many people online exposed to this how do we find out about them?  Plus what's to stop more from springing up all the time.

Three lessons for people:
1.  If something looks to good to be true, it almost always is.
2.  Follow safe browsing practices.  Be patient and don't rush into giving anyone your information or registering with unknown sites.
3.  If you fall for a scam, tell people about it and register it with local law enforcement (, Internet Crime Compliant Center (, and google's phishing report (


Anonymous said…
This guy is right. I got the same exact email from this so-called "Sharon William" shown in the story above. This person directs you to either the "biddycacts" site or "bidcactus" site. And all they want from you there is your credit card information, which will charge you $$ for signing up, and getting nothing in return.
Anonymous said…
I got 2 e-mails. 1 from Sharon Adams and 1 from Sharon Williams. Hard to trust anyone these days.
Anonymous said…
Got the exact email also from a Craigslist ad. These type of people are why I conduct transactions on this type of things with a throwaway email account.
Anonymous said…
I also received an email today from Sharon William in response to a TV ad on Craigslist with the exact same message directing me to biddicacts.
marcia said…
me too, thru a craigslist ad today. they were talking up
Anonymous said…
Also got the same thing this morning - thru a craigslist ad I'd seen. I had enough scams when trying to sell a few items on Craigslist. I have a few checks for $3,000 that are bogus. Fortunately, I was able to sell my items to a legit person!!
Anonymous said…
I answered an ad for an LG portable air conditioner on craigslist. I received 2 replies from Sharon Williams. First response said item was still available, 10 minutes later second response said it was just sold and directed me to The site requires you to pre-pay for bids with no guarantee of winning. When you bid you lose your money even if you don't win.
Anonymous said…
I got the same response (from Sharon Williams) in the Chicago Craigslist electronic area-She really gets around. Glad I looked it up.
Anonymous said…
I received the EXACT email from a "Sharon Williams" "responding" to a craigslist question about a $130 IPAD 2.....I should have know better.....$130 for an IPAD 2 lol.
Anonymous said…
This person is also using an aliased email to draw users then sending a response with another aliased email as "Sharon Williams" Flagged the ad in craigslist louisville as spam.
Anonymous said…
I got the same email from a Katy Taylor re:a gas dryer,using 3 different email accounts on July 21,then again on the 24 from some one else on a different Craigslist posting for dryer.This is in Rockford, IL
Anonymous said…
I just got the same email from a Katy (no last name), re: an airconditioner on craigslist!!!! But, the original poster (craigslist id), directed me to contact someone at another email address: This is in Roanoke, Virginia!

Kelsey Lok said…
got an email from "Katy Taylor" also regarding a juicer ad posted on craiglist...i went to the website stupidly lol but this is ridiculous! in houston texas..
Anonymous said…
Just got the same response from Katy Taylor.

Popular posts from this blog

Consumer Benefits of Credit Card Security

Recently, new types of credit card security features have be debuted, such as this one from Visa. And as some of the comments on Bruce Schneier's blog point out, its questionable how effective this is. I want to figure out what the motivation is behind these ideas, as it appears banks and the major credit card brands are not completely transparent about the benefits to the consumer. My example is this, one source has that in 2005 $2.8 million was lost due to credit card fraud from Visa and MasterCard in Canada alone. These costs are absorbed by the credit card companies as they protect their cardholders from liability, but as can be expected these costs are directly applied to the card brand customers, people and merchants, in the form of fees and interest rates. Now lets say that card brands can deploy a technology to eliminate 90% of this fraud and associated insurance and liability costs. Likely a large savings both in Canada and globally. Would we, the public and mercha

OpenSolaris, ZFS, iSCSI and OSX - Creative Storage - Part II

In part I of this post, I looked at the simple steps required to setup a relatively simple storage solution using OpenSolaris, ZFS, iSCSI and OSX. This was about a month ago, and I've made some significant changes on how this is used for me. At the end of the last post I left off on the part dealing with configuration of the iSCSI initiator side of the solution. I stopped here because there were some issues related to the installation and use of the software. The iSCSI initiator that I was using was Studio Network Solutions GlobalSAN initiator (version which is used to allow for connections to their products. This software will also allow for connections to ANY iSCSI target! After the configuration of the iSCSI target on the ZFS pool, and installation of the client it was trivial to get the connection established with the storage pool, and it showed up in OSX as a raw disk which had not been formatted. I proceeded to format the disk as HFS+ and it then mounted as a lo

May Security Catch-up

Its been much too long since my last post - Sony's PSN network has been breached a few times , a record number of vulnerabilities have been published , and the US government has released a new set of cyber space strategies . On the cool tools and technologies there have been lots of notable releases: Some research from Albert Cotesi New Zealand on the traffic flowing from IOS to 3rd parties, now sniffable thanks to MITMProxy , and instructions on getting it working with IOS As always SQLmap is making life easier for the vulnerability assessor and pen-tester. Microsoft has released an updated to the Enhanced Mitigation Experience Toolkit - I'll be looking into this over the next few weeks, and how it can be applied practically. New major version of Backtrack also released, for those of you that are still relying upon live-cd's as a source for tools.