Re: Identity theft scam against eBay users

[Patrick Bryant <pi () pbryant com>]

The text in the "hook" email in my incident is slightly different. I'm including it below. Note subtle grammical errors 
in the text.

I've been trying to advise eBay all day, since it's their name that's being exploited, but all of my calls and emails 
have fallen into a blackhole.

It now appears that the attackers are playing a shell game with the redirector site. Even though the site that receives 
the victim's post (bayers.netfirms.com) has been shut down, now the attackers are redirecting
to at least one different site for receiving the posts.

Here's the text that initiated my team's involvement:

------------
Dear eBay User,
During our regular update and verification of the accounts, we couldn't verify your current information. Either your
information has changed or it is incomplete.
Please update and verify your information by signing in your account below :
If the account information is not updated to current information within 5 days then, your access to bid or buy on
eBay will be restricted.
go to this link below:
------------

Jordan K Wiens wrote:

> A user on our network just reported a very similar situation, however the
> details differed slightly.
>
>         From address: update () ebay com
>         Mail was not sendmail
>         Obfuscated link was: 
> http://%65%62%61%79%2e%69%6e%74%65%72%70%6f%6f%6c%2e%75%73/index.htm?sss=%66%77%6f%66%48%5a%70%55%76%46%4a%6c%69%47[OBFUSCATED
>  TO PROTECT THE USER]6%68%4b%51%4b%6b%46%6f%65%42%58%75
>         Real link: http://ebay.interpool.us/index.htm?sss=fwofHZpUvFiGg[OBFUSCATED TO PROTECT THE USER]hKQKkFoeBXu
>
> As of right now the page appears to still be up, can you see if it is
> similar to the page you were seeing before?  I've archived it if it goes
> down.
>
> Snippet of text from the email:
> --------------snip-------------
> Dear valued ebay member XXXXXX :
> It has come to our attention that your
> [link to obfuscated url]ebay[/link]
> Billing information's records are out of date. thats require update your
> billing information's
>
> If you could please take 5-10 minutes out of your online experience and
> [link again]update[/link]
> Your billing records you will not run into any future problems with the
> problems with the online service. However, failure to update your records
> will result in account termination. Please update your records by tomorrow.
> --------------snip-------------
>
> --
> Jordan Wiens
> UF Network Incident Response Team
> (352)392-2061
>
> On Mon, 10 Feb 2003, Patrick Bryant wrote:
>
> > The scam is a social engineering hack to obtain personal information
> > presumably for the purpose of identity theft.
> >
> > E-mails are being sent from an address claiming to be 'service () ebay com'
> > requesting personal information including the recipient/victim's bank
> > account number and routing number, checking account account name /
> > number and routing number, eBay user ID / password, PayPal password,
> > credit card number and associated ATM PIN number, social security
> > number, driver's license number and state of issue, and mother's maiden
> > name.
> >
> > Hopefully, half-savvy users will recognize this for what it is or at
> > least object to the disclosure, but it takes some attention to detail to
> > identify that it is a bogus request originating from outside eBay.
> >
> > Here are the technical details:
> >
> >   - The claimed origin address is: service () ebay com.
> >   - The message ID is in sendmail format (YYMMDDHHMMSSprocessID@server)
> > and ends with the string '@www.websiteseasy.com'.
> >   - The message TEXT directs the user to the URL:
> > http://www.ebay.com/acounts/memb/avncenter/?dll87443%2213. That text
> > displayed in the URL masquerades the actual URL to which the
> > user-supplied data is posted.
> >   - The ACTUAL URL in the http directs the browser to:
> > 'http://bayers.crossfade.la/' which then does a 'refresh' redirect to
> > 'http://bayers.netfirms.com/'.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com