Speak of the Devil and he appears...

bmattock · Oct 16, 2005

We've been talking about eBoy scams, and I just got another one. These are fairly common, but I thought I'd mention it.

Email arrives, seems to be from eBoy. It appears to be a 'question about multiple item shipping charges' from an eBoy user, about a Fujitsu Lifebook that I'm selling. Thing is, I'm not selling anything right now, let alone a Fujitsu Lifebook.

The response that the spammers want is that "OH MY GOD!" moment when you think someone has managed to log on to eBoy as you and has hijacked your account. So, you click on the link they thoughtfully provide, and you're asked for your user name and password. You put that in and you get logged into eBoy - only there isn't any auction. All is well. There is no such auction number, no such user as the one who seemed to be asking you a question, you're left scratching your head and wondering what just happened.

But the crime was not committed before you got the email about the Fujitsu Lifebook that you're not selling. Your account was never hijacked - BUT NOW IT WILL BE. Thanks to the user name and password you just provided to the hackers.

But you logged onto eBoy, didn't you? It looked like the standard eBoy login screen!

NO! You logged onto a Romanian website that was set up to look like an eBoy login screen. When you typed your user name and password, you gave it to the hackers and now they are having fun with your account - now they really ARE selling things in your name - but the things they are selling don't exist, and you won't ever know it - because they will be changing your password and your 'real' email address so you won't get notifications anymore.

I am including a screen shot below - I did what I just said was a BAD THING and clicked on the link in the email. But I did NOT enter the user name and password, and I won't. Look here:

nslookup 81.196.121.160
Server: 192.168.0.1
Address: 192.168.0.1#53

Non-authoritative answer:
160.121.196.81.in-addr.arpa name = iqnet31.cli.rdspt.ro.

Authoritative answers can be found from:
121.196.81.in-addr.arpa nameserver = ns.rdspt.ro.
121.196.81.in-addr.arpa nameserver = ns.pitesti.rdsnet.ro.
121.196.81.in-addr.arpa nameserver = ns1.rdsnet.ro.
ns.pitesti.rdsnet.ro internet address = 62.231.76.49
ns1.rdsnet.ro internet address = 193.231.236.17

What that means is that the IP address (this is a unique number, like a serial number, that every device on the internet has) belongs to a Romanian website. You can complain to Romania or to Interpol or to the FBI or whatever, but nothing will be done. Like Nigerian scams, this just keeps going on and on and on. If you click on the link and enter your name and password, it is your own fault. DON'T DO IT!!!!!

If you think something is wrong with your eBoy account, open your web browser and log in through there the way you normally would - don't click on the link!!!

I have even informed the credit card companies that I do business with - if they send me email, I will not respond - I don't click on links in email when it pertains to credit cards, banks, paypal, or eBoy. It is almost always a scam, and never worth the risk.

I know a lot of you are 'net savvy and some of you are actual IT professionals working in the field, so I know you know all kinds of exceptions and 'ya buts' and all that nonsense. Let's just say that for 98% of the internet-user public, reading email headers and so on is beyond them - they don't know how to tell if an email is bogus and we should not ask them to try to figure it out. Easy answer - just don't click on links in email to website addresses (and of course never open attachments) and you should be OK; at least in regard to this eBoy nonsense.

Best Regards,

Bill Mattocks

yossarian · Oct 16, 2005

Bill,
Wow, fantastic detail in here, and my deep personal thanks for sharing this. Something rather similar has been occurring at AMAZON, or at least the Romanian connection seems to suggest it.

I hope everybody reads this and sends Bill a "thank you" for his superb detective work.

Regards,
yossarian
(Fred Morrison)

Pherdinand · Oct 16, 2005

funny to see that on the screenshot there's a note that the web address should begin with 'signin.ebay.com' and in the same time it is not🙂)
thanks, bill.

Kin Lau · Oct 16, 2005

bmattock said:
I know a lot of you are 'net savvy and some of you are actual IT professionals working in the field, so I know you know all kinds of exceptions and 'ya buts' and all that nonsense. Let's just say that for 98% of the internet-user public, reading email headers and so on is beyond them - they don't know how to tell if an email is bogus and we should not ask them to try to figure it out. Easy answer - just don't click on links in email to website addresses (and of course never open attachments) and you should be OK; at least in regard to this eBoy nonsense.

No exceptions or "but's" here. Ebay will never send you an email with a link to login, they've stated as much, so the "never do it" warning is completely valid.

ps. I haven't had a ebay phishing email for a while now, but I am winning the lottery every single day 😀 and there's lots of Russian billionaires wanting to share their wealth.

bmattock · Oct 16, 2005

Kin Lau said:
No exceptions or "but's" here. Ebay will never send you an email with a link to login, they've stated as much, so the "never do it" warning is completely valid.

ps. I haven't had a ebay phishing email for a while now, but I am winning the lottery every single day 😀 and there's lots of Russian billionaires wanting to share their wealth.

I have one credit card company that sends me email with a 'click here to view an important message regarding your account' link in it. I was instantly suspicious, but it was for real. I wrote to them and told them I would NEVER click on their link in an email message, there were too many phishing scams out there for me to trust their legitimate email, and I don't have the time to figure out which of them is real and which is fake. They wrote back with a canned response telling me how to avoid phishing scams - major idiots - they were telling me to not do what they were also telling me to do in another email. I am planning to cancel the account when I get the balance paid off - they are dangerous idiots who don't get it.

But actually, my warning was meant for those who responded to a similar message I posted some time ago - there are those who are net-savvy enough to click on the link, and then mess with the phisher by deluging them obscenities, etc. Some here have advocated actually bidding on those fake auctions - taking the prices up into the stratosphere to keep innocent people from being taken - and then refusing to pay when the fake auction is over. I say it is dangerous fun - what if you're wrong and the auction was real?

I agree it is fun to mess with a phisher, but most folks can't do it safely and should not be advised to try. Better to just delete the email or report it if you feel you must.

Best Regards,

Bill Mattocks

Fedzilla_Bob · Oct 16, 2005

Thanks Bill- I recently recieved notice from "Pay*al" that I had sold a gold rolex via the bay. I knew better and sent the message off to paypal. Pay*al responded with a canned message. It didn't help me feel secure.

Fortunately I didn't go for it. But, the jerks had done a reasonable job of avoiding most of the telltale signs of a phisher. (mispelled words, awful grammar, poorly copied graphics). One of the first signs I did catch was that the email was comprised of a gif, entirely.

Thanks again for the heads up.

Kin Lau · Oct 16, 2005

Hmmm... if the credit card company is stupid enough to send an email with a link to login, then what does that mean regarding the rest of their security practices (or lack thereof).

Good advice all around Bill. Sometimes, I think we underestimate who we're dealing with on the other end.

bmattock · Oct 16, 2005

Fedzilla_Bob said:
Thanks Bill- I recently recieved notice from "Pay*al" that I had sold a gold rolex via the bay. I knew better and sent the message off to paypal. Pay*al responded with a canned message. It didn't help me feel secure.

Fortunately I didn't go for it. But, the jerks had done a reasonable job of avoiding most of the telltale signs of a phisher. (mispelled words, awful grammar, poorly copied graphics). One of the first signs I did catch was that the email was comprised of a gif, entirely.

Thanks again for the heads up.

You're very welcome, happy to help.

The thing to remember here is that this scam and others like it depend on a simple technique. Here's how it works:

1) Invoke fear in the victim - YOUR ACCOUNT IS CLOSED DUE TO FRAUD!
2) Demand a response - CLICK HERE TO RESTORE YOUR PRIVILEGES!
3) Appear to be an authority figure - WE'RE THE EBOY FRAUD DEPARTMENT!

People in most countries, west and east, are culturally indoctrinated to obey authority from their earliest years. That's a simple fact, and in most cases, it is a good thing. But it can lead to the trap that these scammers use.

By inducing a sense of panic, they take you out of your normal 'common sense' life where you examine things rationally and make logical decisions based on facts that you know to be true. For example, if the weatherman says it is going to rain today, so take your umbrella, you may actually look outside and make up your own mind before you reach for the brolly.

By demanding a response while you are off balance, they incite that fear factor - everything is wrong, but if you just do what I tell you RIGHT NOW, everything will be fine again.

And of course, they appear to be in a position of authority to back up their claim. Their email looks like emails you have received from eBoy in the past. Some people don't even notice the often-seen mispellings and poor English grammer - they are sucked into panic mode right away and never see through to that.

I don't blame the victims of most of these scams. Many people now on the internet were not 'early adopters' and don't know how easy it is to fake an email to make it look like it came from someone else. I sent an email to someone once with a header changed to make it read 'The Devil' as the sender - they freaked out and I had to calm them down over the phone. Hey, don't laugh (or do laugh, I did) not everybody gets this stuff.

The scammers are becoming more sophisticated day by day, and many of them have a psychologist's understanding of what motivates people to action or puts them into panic mode.

I credit only my own base paranoia and distrust of all authority as having helped me avoid these traps. My own non-conformity saves me! Whoo-hoo!

Best Regards,

Bill Mattocks

Bertram2 · Oct 16, 2005

Kin Lau said:
Ebay will never send you an email with a link to login, they've stated as much, so the "never do it" warning is completely valid.
.

Exactly. They say it again and again and if somebody enters password and username on a website connected to a link in a mail he must be therapy resistant, to say the least.
You read it in newspapers and magazines, you see it mentioned in TV magazines, it's an issue in all internet communities and , meanwhile these scams are so old, one could think even the old Romans laughed about it . How can anybody still get in touble with it nowadays ?

Bertram

Tin · Oct 16, 2005

Bill,

Does your advice of not clicking into a website in an e-mail also apply to the situation where one receives an invoice from a seller that one actually deals with at that time? That is, should one not sign in through that invoice, but begin from scratch by signing in separately in order to pay for a purchase?

bmattock · Oct 16, 2005

Tin said:
Bill,

Does your advice of not clicking into a website in an e-mail also apply to the situation where one receives an invoice from a seller that one actually deals with at that time? That is, should one not sign in through that invoice, but begin from scratch by signing in separately in order to pay for a purchase?

Well, I do the latter myself, but I have been presented with a conundrum a time or two - especially with sellers who say 'do not pay until I contact you' and then use Andale Checkout or some other solution to pay for auctions. Makes me nervous. In such situations, I usually will follow their instructions - but bear in mind, I know how to read email headers (hidden in most email clients, you have to know how to even ask to see them, let alone understand them when you do see them), and I will take precautions whenever something seems not quite right. I'm not sure what I'd advise others to do in cases like that. I use dig, nslookup, traceroute and other tools to make sure to the extent I'm capable, that the person I'm dealing paying is the person I dealt with in the auction.

I have gotten emails after an auction telling me to pay a Paypal email address that was NOT used for the listing - I refuse to do so. No freaking way. I've still got 100% positive feedback after 500 transactions and being on eBoy since 1996 (yes, nearly ten years - I was an early adopter), so I must be doing something right.

Basically, I think that embedded links in emails are not to be trusted anymore unless one is very, very, sure of the sender. They have been compromised too many ways, too many times - it is just too darned easy to fake an email and fool people.

Best Regards,

Bill Mattocks

Kim Coxon · Nov 8, 2005

The use of picture files is a favourite of the spammers to get past most of the spam blockers which look for a string of words etc.

Kim

Fedzilla_Bob said:
One of the first signs I did catch was that the email was comprised of a gif, entirely.

Thanks again for the heads up.

Gabriel M.A. · Nov 8, 2005

I immediately forward those e-mails to abuse@blahblah and also the FCC; although I know that goes into a bottomless alternative universe pit, perhaps someday they'll notice when they are no longer being lobbied to.

kiev4a · Nov 8, 2005

There has been a flurry of Ebay phishing the past several days. About 1/3 of the several dozen spam messages that I get every day at work have been ebay oriented--directed to email addressed that never have been associated with ebay accounts.

back alley · Nov 8, 2005

yeah, apparently there was a problem with my account also!

what would happen if i sent them a phoney password? something like like bitemyass?

joe🙂

Uncle Bill · Nov 8, 2005

I have been on the recieving end of Ebay Phishers over the last few months, I just copy the emails and send them to E Bay's enforcement department and then delete. I have my opinions on this particular subset of the bottom end of the gene pool but I am too much of a gentleman to repeat it.

Bill

ch1 · Nov 8, 2005

This stuff also often happens with PayPal.

Simple rule: ignore any e-mails where the "sender" is eBay or PayPal.

If there really is an issue about your account(s) it will be posted on the legit websites after you sign-in.

eBay, PayPal, your local friendly banker etc. DO NOT EVER EVER EVER send you e-mails about your account!

'Nuff said to the wise - the stupid? They deserve to get ripped off!

SolaresLarrave · Nov 8, 2005

Thanks, Bill! I must admit I may have fallen in the trap and click on the link.

However, I always pay my eBoy purchases from the site, never from an e-mail. Don't know why... Now I know I'm doing something right! 🙂

Again, thanks for the warning! 🙂

Speak of the Devil and he appears...

bmattock

Veteran

yossarian

Well-known

Pherdinand

the snow must go on

Kin Lau

Guest

bmattock

Veteran

Fedzilla_Bob

man with cat

Kin Lau

Guest

bmattock

Veteran

Bertram2

Gone elsewhere

Tin

Well-known

bmattock

Veteran

Kim Coxon

Moderator

Gabriel M.A.

My Red Dot Glows For You

kiev4a

Well-known

back alley

IMAGES

Uncle Bill

Well-known

ch1

Guest

SolaresLarrave

My M5s need red dots!