RE: EBay Fraud Attempt

[george.wasgatt () insurity com]

Ebay is aware of this and other fraudulent attempts to harvest user
credentials.  Here is what they have to say about it in their announcements
section:

Date: 12/06/2002
Time: 13:15:46 PST
 ***Protect Your eBay Password and Your Personal Information***

eBay treats your personal information with the utmost care, and our Privacy
Policy is designed to protect you and your information. 

Some members have reported attempts to gain access to their personal
information through email solicitations that are falsely made to appear as
having come from eBay. These solicitations will often contain links to Web
pages that will request that you sign in and submit information. At eBay, we
identify these as 'spoofed' emails or Web sites.

We encourage you to be very cautious of emails that ask you to submit
personal information such as your credit card number or your eBay password. 

To be sure that you are signing into a genuine eBay Web site, look at the
Address/Location area of your browser. At an eBay.com sign-in or log-in
page, the URL (link) that appears in the Address/Location area of your
browser will begin with "http://cgi.ebay.com/"; or "http://scgi.ebay.com";.
Please pay close attention to all characters in the address, including the
forward slash (/) that follows "ebay.com". Even if the Address/Location
includes the word "ebay", it may not be a genuine eBay Web site. If you
receive or suspect you have received such an email, do not respond to it or
click the links. Immediately send a copy of it to spam () ebay com.

If you have any doubt as to whether or not the website you are on is an
official eBay web page, please visit our Account Security page for more
complete information on the URLs used on eBay web pages.

For more information on how to protect your eBay password and your account,
click here. 

Regards, 
eBay  

-----Original Message-----
From: jlewis () lewis org [mailto:jlewis () lewis org]
Sent: Sunday, December 08, 2002 11:45 PM
To: Logan F.D. Greenlee
Cc: incidents () securityfocus com
Subject: Re: EBay Fraud Attempt


This is definitely an attempt to socially engineer your credit card info,
bank account info, and enough personal information to commit identity
theft against anyone dumb enough to fill out the form (and I'm sure there
are many suckers out there).  You should immediately forward a copy to at
least the following:

privacy () ebay com (don't know if this is the best contact, but it's all I 
found in a quick look at their site).  This is the sort of thing Ebay will 
sick their lawyers on for use of the ebay name.

noc () accentric net (they're the tech contact for the IP block 
www.ebayupdates.com resolves to)

domain.tech () YAHOO-INC COM (they're the tech contact for the domain 
ebayupdates.com, which seems to be registered to some creep in Niceville, 
FL (which sounds fake, but actually exists)).

It wouldn't hurt to try to notify the FBI and local Niceville police...but 
how much time to you want to spend on this?  Odds are, you'll have to 
place several calls and talk to multiple people before you find an 
agent/officer who understands what a website is and why this one is bad.  
If Ebay's security people return your message/call, maybe you can just ask 
tem if they'll push the right buttons to get the FBI to pickup the person 
responsible for the site.  They're likely going to be more familiar with 
what it takes to get some action.

On Sat, 7 Dec 2002, Logan F.D. Greenlee wrote:

> To the moderator:
>       This is my first post, and I'm not sure that this is right list
> to be sending this to. If it isn't could you please tell me where I
> should send it?
>
> Hello All,
>       About 24 Hours ago I received an e-mail from "EBay Billing" with
> the subject of "EBay Billing Error". However, I have not conducted any
> transactions in months, so I became suspicious. The text of the e-mail
> is below as well as the routing path, which would indicate that it was
> not in fact sent by eBay. Further, a visit to the site that is refrenced
> in the email leads to a page that is javascript encoded. Right click is
> disabled to prevent saving of the page. An inspection of the source
> would also indicate that the creators of the page do not want users to
> see where their information is going. I've looked around eBay and found
> no other pages that were constructed in a similar manner. Finally, I
> checked the WHOIS database entry for "ebayupdates.com" and found that
> the registrants were not eBay corporate but someone in Florida. Is it
> possible that this is a farily large scale attempt at gathering eBay
> users account and/or credit card information.
>
> Logan
>
>
> **** Message Header *****
> Microsoft Mail Internet Headers Version 2.0
> Received: from 195.73.193.7 ([24.232.235.26]) by ciretose.net with
> Microsoft SMTPSVC(5.0.2195.5329);
>        Fri, 6 Dec 2002 19:03:46 -0500
> Received: from unknown (HELO f64.law4.hotmail.com) (13.61.40.178) by
> ssymail.ssy.co.kr with smtp; Dec, 06 2002 3:57:55 PM -0100
> Received: from sparc.isl.net ([45.55.85.241]) by
> anther.webhostingtalk.com with NNFMP; Dec, 06 2002 2:52:05 PM -0300
> Received: from [177.34.196.8] by f64.law4.hotmail.com with NNFMP; Dec,
> 06 2002 1:46:01 PM +1100
> From: Ebay Billing <Billing () ebay com>
> To: logan () ciretose net
> Cc: 
> Subject: Ebay Billing Error
> Sender: Ebay Billing <Billing () ebay com>
> Mime-Version: 1.0
> Content-Type: text/html; charset="iso-8859-1"
> Date: Fri, 6 Dec 2002 16:02:56 -0800
> X-Mailer: eGroups Message Poster
> Return-Path: Billing () ebay com
> Message-ID: <DCxgX3kT8fP682w9hWb00000009 () ciretose net>
> X-OriginalArrivalTime: 07 Dec 2002 00:03:49.0430 (UTC)
> FILETIME=[1E97BD60:01C29D84]
> **** End Message Header *****
>
> **** Message Contents *****
> Dear Ebay Member, 
> We at Ebay are sorry to inform you that we are having problems with the
> billing information of your account. We would appreciate it if you would
> visit our website [Ebay Billing Center] <http://www.ebayupdates.com> and
> fill out the proper information that we are needing to keep you as an
> Ebay member.
> If you think you have received this email as an error, please visit our
> website and fill out the neccesary information. That way we can make
> sure that everything is       up to date! Again here is the link to
> our website. Ebay Billing Center <http://www.ebayupdates.com>
> Joe Watson 
> Ebay Billing Center 
> Rep ID. 32A 
> Thank you for your business. 
> The Ebay Staff. 
> ************************************************************************
> ******** ********************************* 
> Do not reply to this e-mail, for assistance contact the customer service
> team. 
> ************************************************************************
> ******** ********************************* 
> ***** Message Contents ******
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------
 Jon Lewis *jlewis () lewis org*|  I route
 System Administrator        |  therefore you are
 Atlantic Net                |  
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com