Skip to main content

Local Classified Penny Auction Scam

While there are a lot of new posts regarding the new ways to exploit people using novel techniques and 0day exploits, there continues to be a rash of tried and true methods of coercion.  I want to just walk through a simple example and reflect on how effective these methods continue to be.

Many people turn toward online classified sites to buy and sell items online.  This example starts with which even I've used on occasion to find used electronics and other items.  Doing a search on the site for a "Samsung Galaxy Note 2" returns a posting from today with someone selling one for an unreasonably priced unit.

$125 for a $500 phone?, but what if it's for real?  No harm in just asking some simple questions.  Email sent with some obvious questions regarding the condition and location.

About an hour passes before I get a response from what appears to be a legit seller.

Notice no answer to the questions I asked, but a friendly pointer at where the unit came from and how I could get one for the same price.  What is though?  Well this online penny auction site claims to allow for purchases way below the value of the items being sold.

Including a not-so-obvious but intentionally generic newsreel video.

That's when I get the second email from another email account with the exact same content and a link to a different URL but same exact site.

Ok so even now I'm suspicious and I do a little digging into the DNS registration information, YouTube account posting the videos and the posts on Kijiji related to the items.  All appear to be somewhat anonymous and scammy.

Switching mindsets to that of the people behind this scheme.  What might be going on here?  Here is one likely scenario:

  1. The scammers setup the fake bidding site and youtube accounts and probably twitter and email accounts too.  Including fake items and auctions.
  2. They post a few ads on local advertising sites for desirable items for too-good-to-be-true prices.
  3. Setup a script to auto-reply to inquiries about the items from legitimate buyers with links to the scam site.
  4. Ask for registration from the user which includes an email address and password.
  5. Use this email address and password to attempt to access the email provided.  Any that work add them to the list of people that scam messages are sent from.
  6. If the user is gullible enough to bid and pay for items using a credit card or paypal, this is free cash.
  7. Wait a week or two then switch to another email address, URL, payment gateway etc
  8. If the scammers were really nefarious they could also extract all of the email from the user and likely use it to conduct additional fraud or ID theft.

Simple scams like these are obvious to critically minded people, but with so many people online exposed to this how do we find out about them?  Plus what's to stop more from springing up all the time.

Three lessons for people:
1.  If something looks to good to be true, it almost always is.
2.  Follow safe browsing practices.  Be patient and don't rush into giving anyone your information or registering with unknown sites.
3.  If you fall for a scam, tell people about it and register it with local law enforcement (, Internet Crime Compliant Center (, and google's phishing report (


Anonymous said…
This guy is right. I got the same exact email from this so-called "Sharon William" shown in the story above. This person directs you to either the "biddycacts" site or "bidcactus" site. And all they want from you there is your credit card information, which will charge you $$ for signing up, and getting nothing in return.
Anonymous said…
I got 2 e-mails. 1 from Sharon Adams and 1 from Sharon Williams. Hard to trust anyone these days.
Anonymous said…
Got the exact email also from a Craigslist ad. These type of people are why I conduct transactions on this type of things with a throwaway email account.
Anonymous said…
I also received an email today from Sharon William in response to a TV ad on Craigslist with the exact same message directing me to biddicacts.
marcia said…
me too, thru a craigslist ad today. they were talking up
Anonymous said…
Also got the same thing this morning - thru a craigslist ad I'd seen. I had enough scams when trying to sell a few items on Craigslist. I have a few checks for $3,000 that are bogus. Fortunately, I was able to sell my items to a legit person!!
Anonymous said…
I answered an ad for an LG portable air conditioner on craigslist. I received 2 replies from Sharon Williams. First response said item was still available, 10 minutes later second response said it was just sold and directed me to The site requires you to pre-pay for bids with no guarantee of winning. When you bid you lose your money even if you don't win.
Anonymous said…
I got the same response (from Sharon Williams) in the Chicago Craigslist electronic area-She really gets around. Glad I looked it up.
Anonymous said…
I received the EXACT email from a "Sharon Williams" "responding" to a craigslist question about a $130 IPAD 2.....I should have know better.....$130 for an IPAD 2 lol.
Anonymous said…
This person is also using an aliased email to draw users then sending a response with another aliased email as "Sharon Williams" Flagged the ad in craigslist louisville as spam.
Anonymous said…
I got the same email from a Katy Taylor re:a gas dryer,using 3 different email accounts on July 21,then again on the 24 from some one else on a different Craigslist posting for dryer.This is in Rockford, IL
Anonymous said…
I just got the same email from a Katy (no last name), re: an airconditioner on craigslist!!!! But, the original poster (craigslist id), directed me to contact someone at another email address: This is in Roanoke, Virginia!

Kelsey Lok said…
got an email from "Katy Taylor" also regarding a juicer ad posted on craiglist...i went to the website stupidly lol but this is ridiculous! in houston texas..
Anonymous said…
Just got the same response from Katy Taylor.

Popular posts from this blog

Edmonton HeartBleed Information Session - April 16th, Royal Glenora Club

Since the latest major OpenSSL vulnerability was publicly disclosed, many people and organizations are scrambling to understand, respond and prepare themselves for the future.  Twitter, vendor support channels and media outlets have been quick to cover different angles of the issue but there has been overwhelming amount  of information released. With all this information, it can be difficult to understand what's relevant.  To help clarify we holding a special ISACA sponsored 2-hour session on Wednesday, April 16th, starting at 12:00pm at the Royal Glenora Club.   Benoit and I will be attempting to explain as much of the issue as we can from a technical and non-technical perspective, discussing the vulnerability, its scope with relation to our personal and professional lives and other related concerns such as our trust in the public PKI system.  The second hour we will be an interactive discussion about how others are dealing with problem, questions about related topics,

Touch ID - Distributed Fingerprint Lookup

All the press regarding the new Touch ID fingerprint biometric on Apple's new iPhone has brought some insight into how to misuse this service.  Most of the critics have focused on circumventing the device to gain access or Apple deciding to share the data with the Government. One interesting perspective that I haven't seen covered yet is if the system could be used as a distributed matching system for existing fingerprint image systems.  In an over simplified view of the process, a law enforcement agency can take an acquired fingerprint and search for patterns in the database of collected prints and spit out possible matches. Although Apple states that an API won't be available for apps, it is conceivable that such an interface might exist, and provide the ability to take an acquired print (either from the iPhone hardware or from software) and check it for validity against the stored print. There are some limits to this, as there is likely only going to be one prin