Cybercriminals use phishing attacks on secondhand shopping sites to scam buyers and sellers in real time.
Buying and selling secondhand items has become pretty popular, as there are some platforms that allow people to do it easily from home. One of these platforms is Vinted, which is a well known site in Europe and North America to buy and sell secondhand clothes and other items.
In general, we don’t need to look much further than popular places where people do business to find cybercriminals and scammers perpetrating their crimes. I’m about to dive into a case of theft that took place on Vinted’s platform, but in reality, this kind of crime could have started in many different marketplaces of this kind.
The victim, who we’ll now refer to as Helen, is a close friend of mine who is, in general, quite internet-savvy. She has been doing all her banking online for years, regularly shops in many different online shops (anything from Shein and Aliexpress to Amazon or Zara), and she’s also familiar with secondhand items platforms, where she both buys and sells items on a regular basis.
After Helen had some items that had yet to sell using another platform, she decided to give Vinted a try. She had friends that have been using it for some time, and with Vinted, Helen could reach a new audience that might be interested in the items that she was looking to sell: A painting and some women’s shoes.
She created her account in Vinted and uploaded the two items. She was pleasantly surprised when, in a matter of seconds, she received a couple of messages from two different people who were each interested in one of the items. To her, it was especially amazing because she had had the very same items for sale on another platform, where no one had shown any interest at all.
The first interested buyer on Vinted sent her a screenshot showing how he had paid for the item, and in that same screenshot was a request for the seller’s phone number. At the same time, the second buyer was asking for her phone number in order to proceed with the transaction after the payment was made.
At this point, I should mention that prior to this incident, Helen has never fallen victim to any scam before. In fact, she has been able to recognize phishing messages in the past (I’m her go-to security expert), and she knows that one has to be careful. However, this time the excitement and the rush of dealing with both sales at the same time got the best of her. She sent her phone number to the potential buyers.
A few moments later, she received two different SMS messages, both from the same sender (Vinted). The text was largely the same – the only difference were the last characters in the URL:
Receive payment and complete the sale https://sms2waw.win/XxxXxx
When clicking on it, Helen was redirected to a payment gateway with the Vinted logo on top of it, indicating that she had to fill in her credit card details to receive the payment. She went ahead and did so. After filling in the form, a loading symbol appeared, and it seemed that something went wrong. Thinking that it might be a problem with her credit card, Helen entered the details of a different card.
A few minutes later, she received the following messages on WhatsApp:
Helen responded saying that she hadn’t received any notifications. Some minutes later, she received additional WhatsApp messages from a different phone number:
Finally, Helen received an SMS message with the name of her bank in the ‘From’ field:
To verify your bank card in the system, you must confirm the push notification in your bank’s app
Helen opened her bank app, and there was indeed a notification that she had to approve for a total amount of €299. She received additional instructions in WhatsApp:
At that moment, Helen decided to contact me. She sent me screenshots of the different messages she had received and filled me in on the rest of the story. I told her not to accept any payment and to block her credit cards right away (fortunately, this was an easy, two-click operation in her bank app). She reported the users to Vinted as well as the phone numbers to WhatsApp and canceled her two credit cards. Luckily, the scammers didn’t siphon money out of either of them.
Money is a great motivator, and it’s what drives cybercriminals. These bad actors are experienced liars and are skilled at playing with our feelings at the right time. This can cause us to make irrational decisions that under normal circumstances we would never make.
Note: I’ve translated each of the messages included in this article into English from Spanish.