IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Security Forum / The eBay phishers are getting better.
Post #219,494
by Another Scott
8/16/05 8:24:04 AM
Reply
New The eBay phishers are getting better.
Today I got an email from "eBay" saying:

eBay Safeharbor Department Notice

Fraud Alert ID : xxxxxxxx

Dear eBay member,

You have received this email because you or someone else had used your identity to make false purchases on eBay. For security reasons, we are required to open an investigation on this matter. We treat online fraud seriously and all cases which cannot be resolved between eBay and the other involved party are forwarded for further investigations to the proper authorities. To speed up this process, you are required to verify your personal information against the eBay account registration data we have on file by following the link below.


The English is a little off, but not glaringly so.

Now normally I would immediately throw this in the trash after hovering over the link. Thunderbird usually shows the actual destination of the link and it usually has nothing to do with eBay.

In this case, the URL shown when hovering over it actually says that it goes to eBay. Hmm.

Next, I looked at the headers in detail. Who is this "web24k" and why are they sending me email using:

X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000


Surely eBay would use something other than Outlook Express for emails like this...

I scroll down into the HTML source, and what do I see:

FORM action=http://xxx.xx.xx.xx/.ebay/saw-cgi/eBayISAPIdllSignIn.php
a href="https://signin.ebay.com/ws/eBayISAPI.dll?SignIn"


(I had to mangle that a little to get it past z's https filter.)

Ah, there it is. It looks like it's an https link to eBay, but it's actually a nonsecure link to somewhere else.

Be careful out there....

Cheers,
Scott.
Post #219,497
by folkert
Picture of folkert
8/16/05 8:46:25 AM
Reply
New I auto-report those...
For paypal and ebay. (same company I know)

I have personally been responsible for (in the past week) 18 of those sites being shut down. They are using google to redirect(though "I'm feeling lucky" features, nice eh?), or are only using the IP Address and a spoofing url (http://333.444.555.666/cgi.ebay.com/flarphenungen/run/login.cgi.dll) or something similar.



BTW, to make *Z's* HTML filters ignore things... just backslash the first forwardslash of the URL (http:\\//blah)
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey
[image|http://www.danasoft.com/vipersig.jpg||||]
Post #219,503
by Another Scott
8/16/05 9:17:58 AM
Reply
New Thanks and thanks. I'll pass it on.
Post #219,521
by imqwerky
Picture of imqwerky
8/16/05 12:09:39 PM
Reply
New Same here.
Only I got an email from a supposed buyer claiming I never sent them their item. I forwarded the email to the spoof police at ebay. Since I have sold several items on ebay, I know that my standing is fine and there are no incomplete transactions.

Just delete those suckers after you report them. Yes, it's like swatting at flies, but if we can kill a few then YAY!

Peace,
Amy

Illegitimi non corborundum.
     The eBay phishers are getting better. - (Another Scott) - (3) - Aug. 16, 2005, 08:24:04 AM EDT
         I auto-report those... - (folkert) - (1) - Aug. 16, 2005, 08:46:25 AM EDT
             Thanks and thanks. I'll pass it on. -NT - (Another Scott) - Aug. 16, 2005, 09:17:58 AM EDT
         Same here. - (imqwerky) - Aug. 16, 2005, 12:09:39 PM EDT

You can tell they are used to feeling highly competent in their home worlds.
57 ms