Site icon Sophos News

eBay scammer steals identity of agent investigating him

No face. Image courtesy of Shutterstock.

He had the eBay/PayPal/parcel insurance scam chugging away, with dozens of accounts set up to file claims on packages. In actuality, the packages were empty boxes, sent to switched addresses, that purportedly never showed up.

But why stop there, when you can also pull some identity fraud on the special agent assigned to investigate your fraud?

…And then use that agent’s personal information to open even more fraudulent accounts?

That’s exactly what 25-year-old Rohit Jawa did, ratcheting his crimes up from switching addresses on packages, sending out empty boxes, and filing bogus insurance claims, to impersonating an agent for the US Postal Service Office of Inspector General (USPS-OIG).

On Monday, Jawa pleaded guilty to eight counts of wire fraud and one count of aggravated identity theft, according to the Eastern District of Virginia US Attorney’s Office.

According to court documents, in January 2013, a set of at least 19 eBay and 18 PayPal accounts started to run a scheme to defraud eBay buyers and eBay’s third-party parcel insurance company, which pays a claim to a seller’s PayPal account if the postal service loses or damages an insured package.

That third-party insurance is offered through eBay’s ShipCover program.

ShipCover administrators, smelling a rat, in December 2013 began investigating a set of accounts – linked by overlapping eBay and PayPal accounts and identity information – that were filing claims on nearly all of their insured parcels.

But when insurance investigators interviewed three people whose identities had been used to open the accounts, they all said they hadn’t opened the accounts that were in their names.

Same thing for the USPS OIG: agents interviewed three more people associated with the accounts, and they all denied knowledge of the accounts and said they never granted their consent to open them.

Two sets of accounts all had something in common: one group of accounts used similarly formatted Yahoo accounts with a consistent prefix. The prefix was either “rbox009,” “tohaven,” or “twaron,” followed by a hyphen and a varying suffix.

Another 91 email addresses were associated with accounts hosted by 1&1 Mail and Media Inc. – a provider that lets users register numerous addresses under a single account.

So agents got a search warrant for 1&1 Accounts, and that’s the path that wound to Jawa – as well as to having an agent’s identity stolen.

Agents had found numerous complaints wherein buyers complained to a seller that they hadn’t received a purchased item, despite tracking histories that showed the items had been delivered.

When agents compared the shipping addresses given to the postal service at time of purchase with those seen on the labels the postal service actually processed, they found that the addresses had been changed to another address in the same ZIP code: a “strong indication of fraud,” USPS OIG special agent John Watson wrote in the affidavit.

The USPS OIG actually started investigating one of the fraud victim’s complaints in July 2014 to determine if a postal service employee was stealing mail.

An agent wrote to the seller in question, who had one of those 1&1 addresses.

OK, the seller responded, that’s fine, just send over a copy of your credentials to verify your identity.

Which the agent did.

That seller was Jawa.

With the agent’s proof of identity, along with another of those 1&1 email accounts, Jawa filed an application for an account at Law Enforcement Online (LEO): a web portal run by the FBI that provides access to criminal intelligence and other highly privileged information for law enforcement officials.

Then, again pretending to be the agent, Jawa called FBI technical support, which gave him a temporary username and password for the account.

From there, Jawa used the @leo.gov email that came with the LEO account to correspond with six police forces, asking that accounts be made for him on their internal services.

He only convinced one of those police forces, but that was enough to grant him access to data he never should have gotten his hands on.

Jawa got sensitive personal information on at least 9 people, including the USPS OIG agent whose identity he’d already stolen to get the LEO account.

Using the stolen identities, he opened even more fraudulent eBay, PayPal, and financial accounts.

A federal grand jury had indicted Jawa on 13 August 2015. He’s now facing between 2 (minimum) and 20 (maximum) years in prison.

He’ll be sentenced on 12 February 2016.

Image of ebay HQ courtesy of Katherine Welles / Shutterstock.com

Image of faceless man courtesy of Shutterstock.

Exit mobile version