Looks like another new eBay phishing exploit

J

jlw

Rangefinder camera pedant
Local time
4:17 AM
Joined
Aug 27, 2004
Messages
3,261
View My Gallery
Recently I received an email embedded in official-looking eBay graphics, identified as "Message from an eBay member." The message read:

"Hello,

I recently placed a bid on item #5590717206 being a wheelchair for me that i really need do to my age(78 years old) and it seems that i can not find the auction anymore...May i please know if you are the seller of the item above?

Regards,
Gretta."

I had placed no such item but, being a tender-hearted guy, I naturally wanted to let poor old crippled 78-year-old Gretta that I was not the seller so she could continue looking. There was a button right in the email saying "Respond to this question in My Messages." I know that eBay has a "My Messages" feature, and that it's possible for buyers to contact sellers via email.

But I suspected that this message was not legit... especially after I received two other identical ones sent to different email accounts! So I looked at the source code of the message, and noticed that all the graphics were lifted from the eBay U.K. site. I also found out that the "Respond" button didn't point to a usual secure eBay server address, but to "http://cpe-70-114-210-93.houston.res.rr.com/.signin.ebay.com/"

Yeah, right. I run a web server, so have seen URLs in this format before; they're cable modem IP addresses, and "rr.com" shows in the WhoIs database as being registered to RoadRunner Holdings, a big cable ISP. Not very likely that eBay is using cable modems for its servers, is it?

Tonight curiosity got the better of me, and I clicked the button in the email. As I suspected, I was taken to what looked exactly like a "My eBay" page -- which is exactly where you'd go to check for personal messages using eBay's "My Messages" feature. Naturally, you have to sign in to this page with your eBay user ID and password.

So of course I did. I signed in as user "nowayjose" and entered a password of "iaintthatstupid."

The screen changed immediately to another eBay-ish page saying "You have logged out." This page, though, had a URL from the ".cz" domain -- aka Czech Republic.

So my guess is that somewhere in Houston, an unsuspecting cable modem customer is wondering why his PC is running a bit more slowly than usual -- not realizing it's because an East European scammer has installed a "backdoor" program to take control of it and use it for harvesting IDs and passwords for this exploit.

And I'm equally sure that if I had signed in with my real eBay user ID and password, the scammer would waste no time using it to sign in, then change the password so I'd be locked out of my own account. Next, I expect, he'd take advantage of my eBay identity, feedback, etc., to stage some fraudulent buying or selling transactions. And if I didn't use eBay very often, there's no telling how long it would take for me to notice what was going on.

Morals of this story:

-- Never enter personal information in a webpage you reached by clicking an email link, no matter how legitimate it appears.

-- Don't trust too-good-to-be-true eBay offers, no matter how well-known the other party seems to be or what his feedback score is. His identity may have been hijacked by a scammer.
 
You definitely nailed it. I haven't seen that particular one, but I do get a lot of 'em.

The amazing thing to me - the accounts that get hijacked - how is it that they are unaware that this happens? I mean eBoy runs lots of advertisements, everyone talks about it, and still, somebody goes and does just that - clicks on a link in email and then puts in their user name and password. Then they act surprised that they're hosting an auction for 700 Leica M7's in pristine conditon on a 1-day auction with no minimum and on reserve out of Singapore, when they're located in (wherever).

And of course, the ahem, 'winners' of those self-same auctions. I feel badly for them, but part of me wants to say "Man, how can you BE so stupid?"

Anyway, good catch!

Best Regards,

Bill Mattocks
 
Great info to know. I ceratinly will watch my ebay log on and only do so after I go to the ebay url directly.
 
How do people fall for it? You certainly don't have to be stupid. You just have to be only an occasional eBay user.

(I know lots of us monitor eBay all the time for good RF camera buys, but think how many people just got an account to buy or sell one item, and then basically forgot about it. Then one day they get this poignant email from this poor old crippled lady -- well, of course they're going to want to help by at least sending her back a message saying sorry, I'm not the person you're looking for, good luck.)

Incidentally, I pasted the cable-modem URL into a web-browser window and got taken to a personal web page, sort of like a blog. The blog's owner notes that he's just now getting around to rebuilding his site, because the web server on his PC crashed on 11/11 and he lost all his web content. Gee, I wonder how THAT happened?

Based on the info I got off his site, I took a guess at what his email address might be and sent him an email warning him to contact his ISP about getting the backdoor taken off his PC. Don't know if it will get through, or if he'll do anything, but at least I tried...
 
Epilogue: Having clicked the button, even though I entered a phony ID and password, I'm going to have to watch my own cable-modem-connected computer carefully over the next several days. I'm sure that when I clicked, my IP address was logged -- and that the scammer will now start hammering it to see whether he can install a backdoor on MY computer to use it as a scam zombie.

The computers on my home network are all Macs (which aren't un-hackable, but at least are less familiar to the average hacker than a Windows PC) and are hidden behind a router, translated IP addresses, remapped ports, etc., so I'm not too worried about a successful intrusion -- but I wouldn't be surprised if I get a lot of extra traffic on my external address for a while. Just a warning to other intrepid investigators.
 
jlw said:
How do people fall for it? You certainly don't have to be stupid. You just have to be only an occasional eBay user.

(I know lots of us monitor eBay all the time for good RF camera buys, but think how many people just got an account to buy or sell one item, and then basically forgot about it. Then one day they get this poignant email from this poor old crippled lady -- well, of course they're going to want to help by at least sending her back a message saying sorry, I'm not the person you're looking for, good luck.)

Incidentally, I pasted the cable-modem URL into a web-browser window and got taken to a personal web page, sort of like a blog. The blog's owner notes that he's just now getting around to rebuilding his site, because the web server on his PC crashed on 11/11 and he lost all his web content. Gee, I wonder how THAT happened?

Based on the info I got off his site, I took a guess at what his email address might be and sent him an email warning him to contact his ISP about getting the backdoor taken off his PC. Don't know if it will get through, or if he'll do anything, but at least I tried...
Click to expand...


You're right, they're not all stupid. I keep forgetting that not everyone is net savvy. My bad. Still - you see it on TV news, in the papers, etc. Does no one read or watch the news anymore? But you made a good point, mea culpa.

Best Regards,

Bill Mattocks
 
jlw said:
Recently I received an email embedded in official-looking eBay graphics, identified as "Message from an eBay member." The message read:

"Hello,

I recently placed a bid on item #5590717206 being a wheelchair for me that i really need do to my age(78 years old) and it seems that i can not find the auction anymore...May i please know if you are the seller of the item above?

Regards,
Gretta."

I had placed no such item but, being a tender-hearted guy, I naturally wanted to let poor old crippled 78-year-old Gretta that I was not the seller so she could continue looking. There was a button right in the email saying "Respond to this question in My Messages." I know that eBay has a "My Messages" feature, and that it's possible for buyers to contact sellers via email.

But I suspected that this message was not legit... especially after I received two other identical ones sent to different email accounts! So I looked at the source code of the message, and noticed that all the graphics were lifted from the eBay U.K. site. I also found out that the "Respond" button didn't point to a usual secure eBay server address, but to "http://cpe-70-114-210-93.houston.res.rr.com/.signin.ebay.com/"

Yeah, right. I run a web server, so have seen URLs in this format before; they're cable modem IP addresses, and "rr.com" shows in the WhoIs database as being registered to RoadRunner Holdings, a big cable ISP. Not very likely that eBay is using cable modems for its servers, is it?

Tonight curiosity got the better of me, and I clicked the button in the email. As I suspected, I was taken to what looked exactly like a "My eBay" page -- which is exactly where you'd go to check for personal messages using eBay's "My Messages" feature. Naturally, you have to sign in to this page with your eBay user ID and password.

So of course I did. I signed in as user "nowayjose" and entered a password of "iaintthatstupid."

The screen changed immediately to another eBay-ish page saying "You have logged out." This page, though, had a URL from the ".cz" domain -- aka Czech Republic.

So my guess is that somewhere in Houston, an unsuspecting cable modem customer is wondering why his PC is running a bit more slowly than usual -- not realizing it's because an East European scammer has installed a "backdoor" program to take control of it and use it for harvesting IDs and passwords for this exploit.

And I'm equally sure that if I had signed in with my real eBay user ID and password, the scammer would waste no time using it to sign in, then change the password so I'd be locked out of my own account. Next, I expect, he'd take advantage of my eBay identity, feedback, etc., to stage some fraudulent buying or selling transactions. And if I didn't use eBay very often, there's no telling how long it would take for me to notice what was going on.

Morals of this story:

-- Never enter personal information in a webpage you reached by clicking an email link, no matter how legitimate it appears.

-- Don't trust too-good-to-be-true eBay offers, no matter how well-known the other party seems to be or what his feedback score is. His identity may have been hijacked by a scammer.
Click to expand...


Jeesh - how many times do we have to go over this!

eBay, PayPal, Your Local Bank, etc. etc.

NEVER NEVER NEVER EVER EVER EVER

Send you e-mails seeking a "click on this" response!!!!!

They have other ways of getting in touch with you!

You have an account with them -right?

So go to the account and see if they are trying to contact you.

THAT'S WHAT ID'S AND PASSWORDS ARE FOR!!!!! :bang: :bang: :bang:
 
bmattock said:
You're right, they're not all stupid. I keep forgetting that not everyone is net savvy. My bad. Still - you see it on TV news, in the papers, etc. Does no one read or watch the news anymore? But you made a good point, mea culpa.

Best Regards,

Bill Mattocks
Click to expand...

I wasn't criticizing you. I was just noting that it's easy even for generally smart people to be fooled in areas outside their expertise. My dad, who is 77, is plenty smart, for example, but I can imagine people like him at least clicking on the button. (I'm pretty sure he's too savvy to actually enter the ID info -- he's very suspicious of ANYTHING he finds on his computer. Come to think of it, he doesn't have an eBay ID anyway, so I guess he's safe!)

This seems like an unusually slick scam because it's so close to legitimate. Most of us who have sold things on eBay have gotten questions from buyers, and we've all seen emails with clickable links. What's slick about this is the misdirection aspect: you get so involved in the fact that you've received this email by mistake, and wanting to set it straight, that you may not stop to think that you're about to send valuable personal information to a page that you reached through an email link.

Another interesting thing about this exploit: ever hear the old saying, "You can't cheat an honest man"? Swindlers have been getting rich off this mistaken belief for years, and this is just the latest example. The whole con is motivated NOT by the victim's greed or dishonesty, but by his desire to make an effort to help this poor old lady who sent her email to the wrong place. There's a different old saying that applies here: "No good deed goes unpunished!"
 
jlw said:
I wasn't criticizing you. I was just noting that it's easy even for generally smart people to be fooled in areas outside their expertise. My dad, who is 77, is plenty smart, for example, but I can imagine people like him at least clicking on the button. (I'm pretty sure he's too savvy to actually enter the ID info -- he's very suspicious of ANYTHING he finds on his computer. Come to think of it, he doesn't have an eBay ID anyway, so I guess he's safe!)

This seems like an unusually slick scam because it's so close to legitimate. Most of us who have sold things on eBay have gotten questions from buyers, and we've all seen emails with clickable links. What's slick about this is the misdirection aspect: you get so involved in the fact that you've received this email by mistake, and wanting to set it straight, that you may not stop to think that you're about to send valuable personal information to a page that you reached through an email link.

Another interesting thing about this exploit: ever hear the old saying, "You can't cheat an honest man"? Swindlers have been getting rich off this mistaken belief for years, and this is just the latest example. The whole con is motivated NOT by the victim's greed or dishonesty, but by his desire to make an effort to help this poor old lady who sent her email to the wrong place. There's a different old saying that applies here: "No good deed goes unpunished!"
Click to expand...


NO - enough!

The Web is not new and life isn't either!

Scams existed long before the internet and fools have been around since just before scams started!

My Dad is in his '80's and know enough not to "click on" or, if fact, even open an e-mail from an account party.

Your account is with your counterparty. You establish accepted means of intercourse and you DO NOT answer bogus solicitations.

This is not new "rocket science" - it goes back to the oldest concepts of how one does business with another!

Wow - now is this so darned OT or what!

Going "silent" with this adominition:

NEVER NEVER NEVER EVER EVER EVER click on an e-mail from any entity with which you have a fiduciary relationship!!!!!!!!!!!!!!
 
What's this, "Blame the Victim Night" on RFF?

I know perfectly well what people shouldn't do. What's the point of all the capital letters?
 
Epilogue: This could be completely coincidental to the story at the top of this thread -- but all day today, my email account has been getting hammered by various interesting messages.

Some of them are cheerful missives from close personal friends (whose names I don't seem to recall) beginning "Hi, its me" and then letting me know their new email addresses.

And several come from major online services (with which I'm not registered) sending me my new user ID and password.

There's even one from "Office@fbi.gov" with a subject line of "You visit illegal websites," which I figure is worth quoting in full:

Dear Sir/Madam,

we have logged your IP-address on more than 30 illegal Websites.

Important:
Please answer our questions!
The list of questions are attached.


Yours faithfully,
Steven Allison



*** Federal Bureau of Investigation -FBI-
*** 935 Pennsylvania Avenue, NW, Room 3220
*** Washington, DC 20535
*** phone: (202) 324-3000
Click to expand...

Oh, yes, EVERY ONE of these emails has a zip file attached. And of course I'm just naturally going to open each one of them to see what it is, aren't I? (I mean, I might get in trouble if I don't answer questions from the FBI!)

And then next thing I know (or more likely, don't know) a "backdoor" will have been installed on my computer, allowing ingenious individuals to take control of it to send out messages from crippled old ladies who need me to help them find a wheelchair on eBay... or to send out more silly emails like these!

The only reason I suspect this might be from the same clever folks I visited the other day is that, when I examine the source code of the emails, they all originate from cable-modem IP addresses (Verizon and Comcast customers seem to be the lucky ones today.)

So in addition to Copake's brusque but well-taken advice NEVER to click ANYTHING in an email, it's time to add another: If you've got a cable modem, for cripe's sake, put some kind of barrier between it and your PC, okay? A router with network address translation (NAT) helps a lot, and so does a hardware or software firewall. These tools act like a hotel desk clerk: they handle deliveries while keeping your "room number" a secret, rather than letting the "deliveryman" in to roam the halls at will.
 
jlw said:
Epilogue: This could be completely coincidental to the story at the top of this thread -- but all day today, my email account has been getting hammered by various interesting messages.

Some of them are cheerful missives from close personal friends (whose names I don't seem to recall) beginning "Hi, its me" and then letting me know their new email addresses.

And several come from major online services (with which I'm not registered) sending me my new user ID and password.

There's even one from "Office@fbi.gov" with a subject line of "You visit illegal websites," which I figure is worth quoting in full:



Oh, yes, EVERY ONE of these emails has a zip file attached. And of course I'm just naturally going to open each one of them to see what it is, aren't I? (I mean, I might get in trouble if I don't answer questions from the FBI!)

And then next thing I know (or more likely, don't know) a "backdoor" will have been installed on my computer, allowing ingenious individuals to take control of it to send out messages from crippled old ladies who need me to help them find a wheelchair on eBay... or to send out more silly emails like these!

The only reason I suspect this might be from the same clever folks I visited the other day is that, when I examine the source code of the emails, they all originate from cable-modem IP addresses (Verizon and Comcast customers seem to be the lucky ones today.)

So in addition to Copake's brusque but well-taken advice NEVER to click ANYTHING in an email, it's time to add another: If you've got a cable modem, for cripe's sake, put some kind of barrier between it and your PC, okay? A router with network address translation (NAT) helps a lot, and so does a hardware or software firewall. These tools act like a hotel desk clerk: they handle deliveries while keeping your "room number" a secret, rather than letting the "deliveryman" in to roam the halls at will.
Click to expand...

well that 2 timeing SLUT she sent me that email from the CIA! 😱
 
Hmmm, I got a bunch of those 'you are registered' emails as well today. Some claimed to be from "The Company Store" which is a real (and legitimate) company - but the emails were from some person whom I've alread identified via their cable modem IP address, unless that PC is a 'zombie' that was captured and converted by another spammer. In any case, the real FBI got the whole thing, as well as The Company Store's legal department (we had a conversation). So if it is a disgruntled RFF'er sending these out - bad move, bud.

Best Regards,

Bill Mattocks
 
jlw,

thanks for the post; it reminds me the simple things we've learnt in kindergaten; things that we have learnt well but often forgot
here in the place i live and work, every single things depends on clickling... and people spend more and more time manageing their mail accounts, their bank account, taxation, insurance, phone bills, groceries, pizza delivery, etc all days... our experience of the world as well, are understood in terms of clicks and on-line interface

and those "click on" somehow becomes so "suggestive" for innocent people... the signs and graphic icon somehow already displaced action; we click the button "send" and ASSUME the addressee WILL get the mail, or "would have read it" next time we see he/she... in the office environment like the one i am in, people often come and ask, "have you read the mail?"

as you say you host a web server, so you understand how the scam work, its technicalities, etc...it is nice of you taking time to share your experience with members here!
 
Well, I just got another eBoy phishing attempt. This one is a bit different - it pretends to address the problems with phishing attempts!

Dear eBay Member,

Due to recent account takeovers and unauthorized listings, eBay is introducing a new account verification method. From time to time, randomly selected accounts (seller and/or buyer) are subjected to an advanced verification process based on our merchant accounts/bank relations and customers credit card. eBay may also request in an email message scanned/faxed copies of one or more photo ID's. Your account confirmation may go wrong if your credit card/bank account is expired, or if you have changed your credit card number, billing address etc. without letting us know about the change.
Subject of this verification process are also the accounts that have unpaid dues to eBay.
Your account is not suspended, but if in 48 hours after you receive this message your account is not confirmed we reserve the right to suspend your eBay registration. If you received this notice and you are not the authorized account holder, please be aware that it is in violation of eBay policy to represent oneself as another eBay user. Such action may also be in violation of local, national, and/or international law. eBay is committed to assist law enforcement with any inquires related to attempts to misappropriate personal information with the intent to commit fraud or theft. Information will be provided at the request of law enforcement agencies to ensure that perpetrators are prosecuted to the full extent of the law.

Note: If this is the second time you receive this notice, it might be because you have made a mistake when you entered your details or that the account was not updated at all.






To confirm your identity with us click here:
http://signin.ebay.com/aw-cgi/eBayISAPI.dll?userconfirm&ssPageName=h:h:sin:US

We apologize in advance for any inconvenience this may cause you and we would like to thank you for your cooperation as we review this matter.




Respectfully,
Trust and Safety Department
eBay Inc.

http://www.ebay.com/
Click to expand...

Now, does everybody see the link? It says it goes to eBoy. But it doesn't really. Although it does not display, the link goes to:

http://005490b.netsolhost.com/images/edit/info-updt.html

And do you know who that is? Not eBoy!

If you click on the link (DO NOT DO THIS), you get a screen that LOOKS like eBoy:

eBoy.jpg


But look closely at the URL on the top - this is NOT eBoy!!!!

It is being hosted on a 'throw away' account in Canada, but it generally these things are coming out of Romania. In any case, if you foolishly type in your user name and password, the scam artist will now use that information to log into your eBoy account and seize it.

This is where those phony low-buck Leica M7 auctions come from! YOUR account after you give up your login id and password!

And the scammer will change your password and email address right away, so you will have NO IDEA that your account has been seized, unless you're an eBoyaholic and login all the time.

And just for fun, I went ahead and entered "No way, Crook!" as a user id, and used a password of "yousuckyousuck" and entered it.

SURPRISE! I got redirected to a website in ROMANIA with an eBoy logo on it:

romanian_eboy.jpg


If you put your credit card information in, say GOOD BYE to your credit! You'll only be liable, in most places, for a certain amount - but your credit will be shot to hell and pretty much hosed forever once your identity is stolen. And you just gave away the keys to the kingdom.

I'm trying to scare you folks. If you can't imagine how dishonest and ruthless people can be, look at this. I got this in my email, you can get it too. If you follow the instructions, your life is about to get a lot more complicated and not fun at all.

PLEASE DO NOT CLICK ON LINKS IN EMAIL!!!

If any legitimate company sends an email, they will NOT put a clickable link in it if they are smart - and if they're not smart, too bad for them, they lose your business.

If you get an email inviting you to click on a link and go somewhere on the web, DO NOT TRUST IT, EVER. Open your web browser and type in the URL of the place you wish to go to instead.

I can't make this any clearer.

Best Regards,

Bill Mattocks
 
I got a similar one to the wheelchair lady but it was more generic with just an item number. I was running a few auctions that week but everything pointed to Ebay.UK so I knew it was
bogus.
 
Thanks, jlw and bmattock for all the very detailed information.

One would think these things would be a bit more obvious, but very few people ever look at long email headers, let alone do any detectve work.

What's frustrating is eBay's extremely slow response to hijacked accoutns and fake auctions. I've reported several myself over the years and read of others doing the same. Days later, the bogus auctions still remain and who knows if eBay bothers to contact the original account holder.

I've also heard that filing an Internet fraud report via http://www.ifccfbi.gov/index.asp is also a waste of time. ISP's don't exactly set the world on fire with their attempts to block email either if the header contains multiple addresses.

Now, since you have Macs at home, let me ask you a question about your home network. 🙂

Have you customized the tcp daemon in your OSX for additional security? Or is this not necessary?

Tnx.
 
Last edited:
Jlw,

Thanks for posting this incident and being adventurous enough to test it out for us.

Unfortunately, for many of us, myself included, who are not on the cutting edge of computer technology, this is the type of story that is truly scary.

By the way, are Macs more secure because there are less Mac hackers or because there are some inherent safeguards in Macs that make them safer than PCs? What about using Firefox on either PCs or Macs as a safety measure?
 
You must log in or register to reply here.
Back
Top Bottom