Phishing Attacksmedium

eBay Employee Spear-Phish Leads to Harassment Campaign Against Critics

eBay employees and executives used spear-phishing and a coordinated harassment operation against newsletter authors who published critical articles, sending them live insects, a funeral wreath, and surveilling their home.

eBay·2020·2 min read

Background

Between August and September 2019, the authors of an e-commerce newsletter published articles critical of eBay's business practices. eBay's security team and senior executives organised a response that crossed from monitoring into criminal harassment.

The Attack

eBay's security staff used open-source intelligence and spear-phishing techniques to identify the personal details of the newsletter authors. They then orchestrated a campaign of physical harassment: ordering deliveries of live cockroaches, spiders, and a funeral wreath to the victims' home. They created fake social media accounts to post threatening messages and surveilled the couple in person at their Massachusetts home. eBay security staff flew from California to Massachusetts to conduct physical surveillance. The entire operation was coordinated via internal eBay Slack channels.

Response

The couple reported the harassment to local police, who conducted an investigation. Six eBay employees including the senior director of safety and security and a former Boston police captain were arrested in 2020. eBay's CEO resigned. eBay paid $3 million to settle civil claims and $59 million in penalties related to unrelated violations discovered during the investigation.

Outcome

Seven people were convicted. eBay paid $3 million to the couple. The case was remarkable as an example of corporate security being weaponised against civilians. It demonstrated that "security" teams with investigative capabilities can become instruments of harassment when directed by executives.

Key Takeaways

  1. Corporate security teams need independent oversight — they must not be directed by executives to target critics
  2. Internal communication channels (Slack, email) preserve evidence of unlawful conduct
  3. Using company resources for personal vendettas against critics is criminal, not just unethical
  4. Physical harassment campaigns leave extensive trails — digital activity, travel records, and deliveries are all traceable
corporate harassmentinsider misuseOSINTexecutive misconductsurveillance

More in Phishing Attacks

2015critical

Anthem Health: 78 Million Patient Records and a Single Phishing Email

2 min readPhishing Attacks
2022high

Okta Breach: The Identity Provider That Protects Everyone Gets Compromised

2 min readPhishing Attacks
2010critical

Operation Aurora: China's Spear-Phish Against Google and 34 Companies

2 min readPhishing Attacks