Cybercriminals are now even willing to go right to their victim's front door: In a new so-called "pay on delivery" scam, the bad guy poses as a delivery service, delivers a bogus package, and collects the victim's COD payment.

"These people are willing to take physical risks to bump up their profits," says researcher Guillaume Lovet, who has been tracking this new mode of attack. "This is a mix of both cybercrime and [traditional] crime. Part of the scam is done on the Internet, and the now there's a new [part] that's done in the 'real' world, with physical contact between the victim and the criminal."

Lovet, a threat response team leader at Fortinet, says he's spotted this new tactic occurring mostly in northern continental Europe, but that it could be going on anywhere in the world.

The scam basically preys on savvier online auction customers who will only pay for their items via cash-on-delivery, when they receive them in hand. The "delivery man" is actually the bad guy, known as the "lead buyer," who uses IRC channels to buy information on potential victims who will pay only via COD on eBay, for instance.

Lovet first revealed his latest cybercrime research last week at the Virus Bulletin conference in Vienna, Austria.

Lovet says he was shocked to discover online scammers moving so boldly and effortlessly between the Internet world and the physical world. "I never expected them to actually make physical contact with their victims," he says. "It took me awhile to figure it out."

It's all about cybercriminals constantly adapting to keep their operations profitable -- which apparently is relatively easy, according to Lovet's research. Cybercrime nets the bad guys anywhere from $50 billion to $100 billion per year, he says.

Another trend in online auction scams are the new, more automated methods with which attackers are stealing and creating accounts with positive "feedback" so potential victims will trust them, he says. "It used to work that you would wait for someone to buy [your fake merchandise] and they'd send you the money, and then you'd disappear," he says. "But no one will buy an item on auction without [positive] feedback anymore, so cybercriminals have had to adapt to that and find ways to get hold of good feedback."

One method: stealing it through a phishing scam. This is a relatively inexpensive technique that Lovet estimates costs less than $70 for about 100,000 spammed emails over a six-hour period -- $5 for the phishing kit, $8 for a fresh spam list, $30 for php-mailers to send the spam, $10 for a hacked hosting site for about two days, and $10 for a valid credit card to register a domain name. The potential profit: $20,000 for items "sold" with an average price of $4,000.

A more sophisticated and efficient method Lovet has witnessed is where bots are used to create positive feedback for the malicious auction site: This occurs mainly with one-cent items on sites such as eBay. The so-called "spider" allows the attacker to sell a number of "one-cent/buy now" items, then send a special script to the bot/"buyer" that makes it generate positive feedback such as "absolutely brilliant service," on the fake profile.

"With this strategy, they can build lots of accounts at little cost," Lovet says. He estimates that it would only cost $15 to build 100 auction site accounts with 15 positive feedback messages apiece, which would generate about $2,500 in sales if the scammer sold bogus items of about $100 apiece and got a 25 percent success rate in sales.

Meanwhile, Lovet also found that innocuous-looking spam spreading around social networking sites like MySpace is actually a big-time moneymaker for cybercriminals, especially now that Web 2.0-based technology makes it easier for the bad guys to spread and propagate their malware. "We're going to see a rise in the volume of identity theft schemes online... Viruses traditionally targeted the desktop, but now [personal] data is sitting in online apps."

These scams aren't always easy to spot, either. As a matter of fact, Lovet himself nearly fell for such a phishing attack recently: He was nearly lured by someone posing as one of his friends urging him via a MySpace bulletin to click onto a link that was actually a phishing site. His clue that it was a fake: "The [message] was in English, but he and I are French."

It was a phishing worm posing as a social networking site bulletin. "Each time a user gets infected by this, the infected bulletin is sent to all of his contacts," Lovet says. And cross-site scripting and cross-site request forgery bugs, meanwhile, are also increasingly being used by the bad guys to infect otherwise-trustworthy sites that in turn could infect unsuspecting users.

And if you do fall victim to a phishing or spam scam, don't feel too badly. It just may be the first time you've seen this particular scam, he says. "The first time you see a scam, you're more likely to fall for it."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.