Cybercriminals use phishing attacks on secondhand shopping sites to scam buyers and sellers in real time.
Buying and selling secondhand items has become pretty popular, as there are some platforms that allow people to do it easily from home. One of these platforms is Vinted, which is a well known site in Europe and North America to buy and sell secondhand clothes and other items.
In general, we don’t need to look much further than popular places where people do business to find cybercriminals and scammers perpetrating their crimes. I’m about to dive into a case of theft that took place on Vinted’s platform, but in reality, this kind of crime could have started in many different marketplaces of this kind.
The victim, who we’ll now refer to as Helen, is a close friend of mine who is, in general, quite internet-savvy. She has been doing all her banking online for years, regularly shops in many different online shops (anything from Shein and Aliexpress to Amazon or Zara), and she’s also familiar with secondhand items platforms, where she both buys and sells items on a regular basis.
After Helen had some items that had yet to sell using another platform, she decided to give Vinted a try. She had friends that have been using it for some time, and with Vinted, Helen could reach a new audience that might be interested in the items that she was looking to sell: A painting and some women's shoes.
She created her account in Vinted and uploaded the two items. She was pleasantly surprised when, in a matter of seconds, she received a couple of messages from two different people who were each interested in one of the items. To her, it was especially amazing because she had had the very same items for sale on another platform, where no one had shown any interest at all.
The first interested buyer on Vinted sent her a screenshot showing how he had paid for the item, and in that same screenshot was a request for the seller's phone number. At the same time, the second buyer was asking for her phone number in order to proceed with the transaction after the payment was made.
At this point, I should mention that prior to this incident, Helen has never fallen victim to any scam before. In fact, she has been able to recognize phishing messages in the past (I’m her go-to security expert), and she knows that one has to be careful. However, this time the excitement and the rush of dealing with both sales at the same time got the best of her. She sent her phone number to the potential buyers.
A few moments later, she received two different SMS messages, both from the same sender (Vinted). The text was largely the same – the only difference were the last characters in the URL:
Receive payment and complete the sale https://sms2waw.win/XxxXxx
When clicking on it, Helen was redirected to a payment gateway with the Vinted logo on top of it, indicating that she had to fill in her credit card details to receive the payment. She went ahead and did so. After filling in the form, a loading symbol appeared, and it seemed that something went wrong. Thinking that it might be a problem with her credit card, Helen entered the details of a different card.
A few minutes later, she received the following messages on WhatsApp.
Translation: Hello! I am the technical support for the Vinted/Wallapop website, I help you verify your bank card. Dear seller, to confirm your order, the system has sent an automatic test purchase notification to your banking application to confirm that you are the holder of a real bank card and have access to your banking application. The test purchase is a simulation and will not affect the balance of your card in any way.
Helen responded saying that she hadn’t received any notifications. Some minutes later, she received additional WhatsApp messages from a different phone number.
Translation: Hello, I am from Vinted's technical service. Below, we indicate what you need to do to complete the process of receiving your money. Once verified and received the money, you will receive instructions on how to send the product. All you have to do is wait for instructions. You can disconnect from the site; we will give you all the information in this chat room.
Finally, Helen received an SMS message with the name of her bank in the ‘From’ field:
Translation: Please confirm a PUSH notification in your banking application for the amount: 299 EUR. Note that this is not a payment, but a 3-second hold for security reasons; it is a security measure of all banks. In 5 seconds, the amount of the item will be transferred to your card. This must be confirmed! Our service works for your security, all your personal data are protected.
Helen opened her bank app, and there was indeed a notification that she had to approve for a total amount of €299. She received additional instructions in WhatsApp.
At that moment, Helen decided to contact me. She sent me screenshots of the different messages she had received and filled me in on the rest of the story. I told her not to accept any payment and to block her credit cards right away (fortunately, this was an easy, two-click operation in her bank app). She reported the users to Vinted as well as the phone numbers to WhatsApp and canceled her two credit cards. Luckily, the scammers didn’t siphon money out of either of them.
Money is a great motivator, and it’s what drives cybercriminals. These bad actors are experienced liars and are skilled at playing with our feelings at the right time. This can cause us to make irrational decisions that under normal circumstances we would never make.
Further reading:
'Cancer Girl' scam has stolen more than half a million dollars
Why is everyone getting hacked on Facebook?
The time I almost got scammed from my college email