Man 'Hacks' Government Auction Website, Sells Himself Cars For $1

Man 'Hacks' Government Auction Website, Sells Himself Cars For $1

Government auctions are a great way to pick up cars on the cheap, but even they have their limits. You might find cars going for just a few hundred dollars, but you’re not likely to find them selling for a single bill — unless, of course, you play a little fast and loose with an online auction like an Oklahoma man did.

Carspotting, Monterey Auction Edition: 1938 Talbot-Lago T150-C

Evan James Coker apparently found some flaw in the General Service Administration’s auction page, which allowed him to bid up the price of various auctions but “win” them in the system by paying a single dollar. While he’s pleaded guilty to wire fraud for the endeavor, there’s still a lingering question: How exactly did Coker pull it off?

The Minnesota District Attorney’s office gives some detail, seemingly specifying that the caper involved the multiple websites that are used to process GSA auction transactions. From the Minnesota District Attorney:

As part of his scheme, Coker bid in multiple auctions for vehicles and jewelry on the GSA Auctions website. When Coker won a particular auction, he was directed to the pay.gov website to remit payment in the amount of his winning bid. Instead of remitting payment in the amount of his winning bid, Coker breached the pay.gov website and falsified the true auction price to $1.

In total, Coker bid on and won 19 auction items and fraudulently paid just $1 for each item. As a result of his scheme, Coker obtained three vehicles, including a 2010 Ford Escape Hybrid, for which he bid $8,327; a Ford F550 pickup truck, for which he bid $9,000; and a Chevrolet C4500 Box Truck, for which he bid $22,700.

See also  8 Tips for Effective Open Enrollment Communication

Based on this information, it appears the GSA Auctions site wasn’t actually attacked — instead, Coker found a vulnerability in pay.gov that could be exploited. That second site may act as a payment gateway for government transactions, only telling the merchant (GSA Auctions) whether a transaction was successfully completed or not — not that transaction’s actual value.

The question is how Coker fooled pay.gov into processing a one-dollar transaction when it should’ve been looking for thousands. Folks online have speculated that the method may have been as simple as changing client-side data through the Inspect Element function in a browser, which may be backed up by Coker’s charge of wire fraud. Had Coker actually breached government servers, it would be surprising for him not to be charged with some form of computer trespass or computer fraud.

Whatever vulnerability Coker exploited has likely been patched, so don’t expect to go buying any single-dollar cars any time soon. Just use government auctions the way they’re intended — they’re still your cheapest option.