eBay phishing

[Paul C. Anagnostopoulos]

I received an eBay phishing message that I don't understand. When I click on the graphic, it takes me to an login page that appears to be a legitimate eBay page. Netcraft thinks it's fine. My username is filled in correctly, along with some password, which also makes me think it's really eBay. When I enter a bogus password, I get the regular "Your sign in information is not valid. Please try again." message. The message header contains:

Received: from 29-170-28.adsl.terra.cl (unverified [200.28.170.29])

Are they sending me to the real eBay page but somehow collecting the keystrokes I type?

~~ Paul

 

[tkingdoll]

I received an eBay phishing message that I don't understand. When I click on the graphic, it takes me to an login page that appears to be a legitimate eBay page. Netcraft thinks it's fine. My username is filled in correctly, along with some password, which also makes me think it's really eBay. When I enter a bogus password, I get the regular "Your sign in information is not valid. Please try again." message. The message header contains:

Received: from 29-170-28.adsl.terra.cl (unverified [200.28.170.29])

Are they sending me to the real eBay page but somehow collecting the keystrokes I type?

~~ Paul

What is the URL of the sign in page? The same https://signin one that you normally get?

Also, what is the email address of the sender and the wording/content of the email?

 

[malbui]

I've just received a mail from Ebay talking about my account being suspended and directing me to an https://signin... page.



I've never had an Ebay account.

 

[Beady]

The dead giveaway is that legitimate eBay emails always address you by name ("Dear John," or whatever). Anything else should be regarded with strong suspicion, and reported.

BTW, I use Mailwasher, a sort of pre-filter that lets you examine and process your emails before downloading them to your computer. One of the features is that it shows you the URL that a link is *really* pointing to.

 

[prewitt81]

I'm getting two or three phishing e-mails per month. Be sure to forward any messages you suspect to the company. For ebay it's spoof@ebay.com. For paypal - spoof@paypal.com.

You will receive a reply in a matter of hours telling you whether or not (usually not) the e-mail was a legitimate company e-mail. Until you are sure, never click on any links in the e-mail and definitely don't enter your username or password into anything related to it.

 

[scribble]

Well, I don't knwo for sure what "they" are doing, but for the record, it would be absolutely trivial for any programmer to put together a web site that would take your password and validate it against ebay, and thus be able to tell you whether you got it right or not.

It would be a little trickier to actually proceed to really, truly log you into the ebay site seamlessly, though. I can't think of a way to do it without using some browser exploits.

 

[kevin]

It would be a little trickier to actually proceed to really, truly log you into the ebay site seamlessly, though. I can't think of a way to do it without using some browser exploits.

Just setup your webserver act like a proxy. You would appear to be logged into ebay but would be getting all your pages from the proxy instead. The pages could be modified before sending back to the victim.

It's a classic man in the middle attack.

http://en.wikipedia.org/wiki/Man_in_the_middle

 

[Bikewer]

One of our supposedly computer-savvy students got her bank acount cleaned out last semester responding to one of these.

She filled out the "requested information" and hit "submit", and the page dissapeared. Two days later she was out 1600.00.

 

[scribble]

Just setup your webserver act like a proxy. You would appear to be logged into ebay but would be getting all your pages from the proxy instead.

Heh, I was thinking in terms of not being able to pass the cookie *I* would get from eBay on to the victim, since they're particular to a domain. But indeed, I could just maintain the entire session myself, as you say. So simple and obvious, now I fel stupid.

Heheh

Of course, I'd still need to either get a really cool domain name or use a browser exploit to make their address bar claim to be at ebay.

She filled out the "requested information" and hit "submit", and the page dissapeared.

Yeah, I'd guess the average scam doesn't go through all the trouble of making you think you're still on the ebay site -- which is to their detriment, really. If they kept the experience seamless, it'd be a lot tougher to notice, 'till after they cleared things out.

 

[Paul C. Anagnostopoulos]

Here is the complete email header:

X-From_: custservice_6@ebay.com Fri Sep 16 21:56:08 2005
X-Envelope-From: custservice_6@ebay.com
Return-Path: <custservice_6@ebay.com>
Received: from U15175395.TOAST.net (mail06.toast.net [82.165.251.126])
by mail256.megamailservers.com (8.13.1/8.13.1) with ESMTP id j8H1u7o4002310
for <my email address>; Fri, 16 Sep 2005 21:56:08 -0400
Message-Id: <200509170156.j8H1u7o4002310@mail256.megamailservers.com>
Received: from 29-170-28.adsl.terra.cl (unverified [200.28.170.29]) by U15175395.TOAST.net
(Vircom SMTPRS 4.1.361.21) with SMTP id <B0075336851@U15175395.TOAST.net> for <my email address>;
Fri, 16 Sep 2005 21:55:53 -0400
FCC: mailbox://custservice_6@ebay.com/Sent
X-Identity-Key: id1
Date: Sat, 17 Sep 2005 07:54:51 +0500
From: eBay <custservice_6@ebay.com>
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: <my email address>
Subject: Important Information From eBay Inc Billing Department [Sat, 17 Sep 2005 06:51:51 +0400]
Content-Type: multipart/related;
boundary="------------040900080703070905060000"
X-MOR: 0
X-MOP: 0
X-MMX: 0
X-MMC: 227
X-MMR: 0
X-Antivirus: Scanned by F-Prot Antivirus (http://www.f-prot.com)

The content of the message is a graphic. Lingering on it gives this URL:

https://signin.ebay.com/ws/eBayISAPI.dll?Signin?sid=verify&co_partnerid=2&siteid=0

which is also displayed in the middle of the graphic.

What really surprised me was that Firefox filled in my username and password on the page. Doesn't that mean that the IP address matched?

~~ Paul

 

[Mongrel]

Re: Re: eBay phishing

The dead giveaway is that legitimate eBay emails always address you by name ("Dear John," or whatever). Anything else should be regarded with strong suspicion, and reported.

BTW, I use Mailwasher, a sort of pre-filter that lets you examine and process your emails before downloading them to your computer. One of the features is that it shows you the URL that a link is *really* pointing to.

Seconded on the Mailwasher, I've used it for a while and love it

Because it's gone commercial now the best place to get an older version is Last Freeware Version.

A point to remember for E-bay is that they use a forum type messaging system now so if you're dubious about an e-mail just log on as you normally would, don't follow any links, and check your messages.

 

[mjluther]

The three most important things to remember when evaluating a potential eBay Phishing scam:

1. eBay -Paypal also- will never ask you to sign in via a link in an email.

2. All legitimate eBay e-mails are also routed to your "My Messages" inbox, which is found through your My eBay page.

3. All legitimate eBay messages will address you by the first and last name associated with your account.

 

[Unnamed]

The content of the message is a graphic. Lingering on it gives this URL:

https://signin.ebay.com/ws/eBayISAPI.dll?Signin?sid=verify&co_partnerid=2&siteid=0

which is also displayed in the middle of the graphic.

What really surprised me was that Firefox filled in my username and password on the page. Doesn't that mean that the IP address matched?

Paul,

I have several of these in my junk mailbox. This is the relevant code:

<A HREF="https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&sid=verify&co_partnerId=2&siteid=0"><map name="tkdsie"><area coords="0, 0, 646, 569" shape="rect" href="http://211.60.138.10:680/rock/eBayIsap/">

Notice that the "A HREF" points to the right place, thus the tooltip when you hover on the image (a bug?), but the actual link to be followed is http://211.60.138.10:680/rock/eBayIsap/ . The page, still active, is a copy of the page on eBay. Entering a bogus name/password leads to a second page asking for credit card information.

As a final touch, they take the person to eBay's help page for "Updating Registration Information" (http://pages.ebay.com/help/account/ia/updating_registration_information.html).

The username/password thing is also puzzling me. Maybe your e-mail client ignored the "area" tag and followed the "href" tag, so you never saw the real phishing page.

 

[Ed]

I seem to get one phony ebay or paypal message every two days. Generally they say your account is frozen or they want you to become a "platinum seller" or some such crap. I forward everything to ebay and let them sort it out. Every now and then they respond, indignantly, "this is a real ebay message". HA.

I have written to ask them what the results of tracking these SOBs is but they have never written back.

 

[Starthinker]

I get several of these a day. At each of my e-mail address. When I get bored I go to the link and put "this isn't even a good phishing scam" as the user name and "your IP is 211. (what ever it is)" as the password. Should make them think a bit. Then I forward (I forward them all, actually) to spoof@ebay.com so they can track it. I only mention this as the URL in today's attempt, which I got mere minutes ago, was http : //211.60.138.10:680/rock/eBayIsap/ which seems to match yours.

Anytime you are forwarded to an address that starts in an IP address it's a scam, automatically.