Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Identity theft scam against eBay users

From: Jordan K Wiens <jwiens () nersp nerdc ufl edu>
Date: Mon, 10 Feb 2003 19:17:22 -0500 (EST)
A user on our network just reported a very similar situation, however the
details differed slightly.

        From address: update () ebay com
        Mail was not sendmail
        Obfuscated link was: 
http://%65%62%61%79%2e%69%6e%74%65%72%70%6f%6f%6c%2e%75%73/index.htm?sss=%66%77%6f%66%48%5a%70%55%76%46%4a%6c%69%47[OBFUSCATED
 TO PROTECT THE USER]6%68%4b%51%4b%6b%46%6f%65%42%58%75
        Real link: http://ebay.interpool.us/index.htm?sss=fwofHZpUvFiGg[OBFUSCATED TO PROTECT THE USER]hKQKkFoeBXu

As of right now the page appears to still be up, can you see if it is
similar to the page you were seeing before?  I've archived it if it goes
down.

Snippet of text from the email:
--------------snip-------------
Dear valued ebay member XXXXXX :
It has come to our attention that your
[link to obfuscated url]ebay[/link]
Billing information's records are out of date. thats require update your
billing information's

If you could please take 5-10 minutes out of your online experience and
[link again]update[/link]
Your billing records you will not run into any future problems with the
problems with the online service. However, failure to update your records
will result in account termination. Please update your records by tomorrow.
--------------snip-------------

-- 
Jordan Wiens
UF Network Incident Response Team
(352)392-2061

On Mon, 10 Feb 2003, Patrick Bryant wrote:


The scam is a social engineering hack to obtain personal information
presumably for the purpose of identity theft.

E-mails are being sent from an address claiming to be 'service () ebay com'
requesting personal information including the recipient/victim's bank
account number and routing number, checking account account name /
number and routing number, eBay user ID / password, PayPal password,
credit card number and associated ATM PIN number, social security
number, driver's license number and state of issue, and mother's maiden
name.

Hopefully, half-savvy users will recognize this for what it is or at
least object to the disclosure, but it takes some attention to detail to
identify that it is a bogus request originating from outside eBay.

Here are the technical details:

  - The claimed origin address is: service () ebay com.
  - The message ID is in sendmail format (YYMMDDHHMMSSprocessID@server)
and ends with the string '@www.websiteseasy.com'.
  - The message TEXT directs the user to the URL:
http://www.ebay.com/acounts/memb/avncenter/?dll87443%2213. That text
displayed in the URL masquerades the actual URL to which the
user-supplied data is posted.
  - The ACTUAL URL in the http directs the browser to:
'http://bayers.crossfade.la/&apos; which then does a 'refresh' redirect to
'http://bayers.netfirms.com/&apos;.






----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: