Security Incidents mailing list archives

RE: EBay Fraud Attempt

From: Chris Gordon <chris.gordon () gettyimages com>
Date: Wed, 11 Dec 2002 09:46:03 -0800

Looks like this has already been taken care of, according to this news article...
http://news.bbc.co.uk/2/hi/business/2564725.stm

The world's largest online auction site eBay has been targeted by fraudsters using a shadow site to steal credit card 
details from its 55 million customers. The scam involved sending e-mails to customers asking them to log on to a 
Florida-based website - ebayupdates.com - and re-submit their financial details. 
"We at Ebay are sorry to inform you that we are having problems with the billing information of your account," the 
e-mails said, writing the name incorrectly with a capital E. 
"We would appreciate it if you would visit our website [Ebay Billing Center] http://www.ebayupdates.com and fill out 
the proper information that we are needing to keep you as an Ebay member." 
US internet watchdog SANS Institute Internet Storm Center has issued a warning about the site. 
Taken down
In a statement to BBC News Online, eBay said it "never asks its users for their user ID and password." 
"Fraud constitutes less than 0.01% of all transactions that take place on the site," it added. 
The shadow site has been taken down. 
The e-mails began appearing about a week ago. 
eBay warning
The WHOIS database of websites showed ebayupdates.com was registered in Niceville, Florida on 6 December this year. 
California-based eBay has issued warnings on its site about e-mails asking for passwords or credit card details. 
"Some members have reported attempts to gain access to their personal information through e-mail solicitations that are 
falsely made to appear as having come from eBay," the company said. 
"These solicitations will often contain links to web pages that will request that you sign in and submit 
information...eBay employees will never ask you for your password." 
In November it was reported that some eBay customers' e-mail addresses could be seen on the company's website. 

-----Original Message-----
From: Chris A. Mattingly [mailto:camattin () camattin com]
Sent: Monday, December 09, 2002 10:02 PM
To: Logan F.D. Greenlee
Cc: incidents () securityfocus com
Subject: Re: EBay Fraud Attempt


You might also contact the U.S. Secret Service, as this type of crime is
covered by this mission statement.  (See
http://www.secretservice.gov/mission.shtml).

-Chris

----- Original Message -----
From: <jlewis () lewis org>
To: "Logan F.D. Greenlee" <lgreenlee () ciretose net>
Cc: <incidents () securityfocus com>
Sent: Sunday, December 08, 2002 11:45 PM
Subject: Re: EBay Fraud Attempt

This is definitely an attempt to socially engineer your credit card info,
bank account info, and enough personal information to commit identity
theft against anyone dumb enough to fill out the form (and I'm sure there
are many suckers out there).  You should immediately forward a copy to at
least the following:

privacy () ebay com (don't know if this is the best contact, but it's all I
found in a quick look at their site).  This is the sort of thing Ebay will
sick their lawyers on for use of the ebay name.

noc () accentric net (they're the tech contact for the IP block
www.ebayupdates.com resolves to)

domain.tech () YAHOO-INC COM (they're the tech contact for the domain
ebayupdates.com, which seems to be registered to some creep in Niceville,
FL (which sounds fake, but actually exists)).

It wouldn't hurt to try to notify the FBI and local Niceville police...but
how much time to you want to spend on this?  Odds are, you'll have to
place several calls and talk to multiple people before you find an
agent/officer who understands what a website is and why this one is bad.
If Ebay's security people return your message/call, maybe you can just ask
tem if they'll push the right buttons to get the FBI to pickup the person
responsible for the site.  They're likely going to be more familiar with
what it takes to get some action.

On Sat, 7 Dec 2002, Logan F.D. Greenlee wrote:

To the moderator:
This is my first post, and I'm not sure that this is right list
to be sending this to. If it isn't could you please tell me where I
should send it?

Hello All,
About 24 Hours ago I received an e-mail from "EBay Billing" with
the subject of "EBay Billing Error". However, I have not conducted any
transactions in months, so I became suspicious. The text of the e-mail
is below as well as the routing path, which would indicate that it was
not in fact sent by eBay. Further, a visit to the site that is refrenced
in the email leads to a page that is javascript encoded. Right click is
disabled to prevent saving of the page. An inspection of the source
would also indicate that the creators of the page do not want users to
see where their information is going. I've looked around eBay and found
no other pages that were constructed in a similar manner. Finally, I
checked the WHOIS database entry for "ebayupdates.com" and found that
the registrants were not eBay corporate but someone in Florida. Is it
possible that this is a farily large scale attempt at gathering eBay
users account and/or credit card information.

Logan


**** Message Header *****
Microsoft Mail Internet Headers Version 2.0
Received: from 195.73.193.7 ([24.232.235.26]) by ciretose.net with
Microsoft SMTPSVC(5.0.2195.5329);
Fri, 6 Dec 2002 19:03:46 -0500
Received: from unknown (HELO f64.law4.hotmail.com) (13.61.40.178) by
ssymail.ssy.co.kr with smtp; Dec, 06 2002 3:57:55 PM -0100
Received: from sparc.isl.net ([45.55.85.241]) by
anther.webhostingtalk.com with NNFMP; Dec, 06 2002 2:52:05 PM -0300
Received: from [177.34.196.8] by f64.law4.hotmail.com with NNFMP; Dec,
06 2002 1:46:01 PM +1100
From: Ebay Billing <Billing () ebay com>
To: logan () ciretose net
Cc:
Subject: Ebay Billing Error
Sender: Ebay Billing <Billing () ebay com>
Mime-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Date: Fri, 6 Dec 2002 16:02:56 -0800
X-Mailer: eGroups Message Poster
Return-Path: Billing () ebay com
Message-ID: <DCxgX3kT8fP682w9hWb00000009 () ciretose net>
X-OriginalArrivalTime: 07 Dec 2002 00:03:49.0430 (UTC)
FILETIME=[1E97BD60:01C29D84]
**** End Message Header *****

**** Message Contents *****
Dear Ebay Member,
We at Ebay are sorry to inform you that we are having problems with the
billing information of your account. We would appreciate it if you would
visit our website [Ebay Billing Center] <http://www.ebayupdates.com> and
fill out the proper information that we are needing to keep you as an
Ebay member.
If you think you have received this email as an error, please visit our
website and fill out the neccesary information. That way we can make
sure that everything is up to date! Again here is the link to
our website. Ebay Billing Center <http://www.ebayupdates.com>
Joe Watson
Ebay Billing Center
Rep ID. 32A
Thank you for your business.
The Ebay Staff.
************************************************************************
******** *********************************
Do not reply to this e-mail, for assistance contact the customer service
team.
************************************************************************
******** *********************************
***** Message Contents ******


--------------------------------------------------------------------------

--

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------
 Jon Lewis *jlewis () lewis org*|  I route
 System Administrator        |  therefore you are
 Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________


--------------------------------------------------------------------------

--

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


=======================================================
This email and its contents are confidential. If you
are not the intended recipient, please do not disclose
or use the information within this email or its
attachments. If you have received this email in error,
please delete it immediately. Thank you.
=======================================================

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: EBay Fraud Attempt, (continued)
- - Re: EBay Fraud Attempt Kee Hinckley (Dec 11)
- Re: EBay Fraud Attempt Waitman C. Gobble, II (Dec 09)
- Re: EBay Fraud Attempt Stephen Friedl (Dec 09)
  - Re: EBay Fraud Attempt Stephen J. Friedl (Dec 11)
- Fwd: EBay Fraud Attempt Dave Laird (Dec 09)
  - RE: EBay Fraud Attempt Carlo Costanzo (Dec 11)
    - Re: EBay Fraud Attempt Dave Laird (Dec 11)
    - Re: EBay Fraud Attempt Mark (Dec 11)
- RE: EBay Fraud Attempt george . wasgatt (Dec 11)
- RE: EBay Fraud Attempt OBrien, Brennan (Dec 11)
- RE: EBay Fraud Attempt Chris Gordon (Dec 11)