Security Incidents mailing list archives
Re: EBay Fraud Attempt
From: Kee Hinckley <nazgul () somewhere com>
Date: Tue, 10 Dec 2002 01:17:28 -0500
> Hello All,About 24 Hours ago I received an e-mail from "EBay Billing" with the subject of "EBay Billing Error". However, I have not conducted any> transactions in months, so I became suspicious. The text of the e-mail
Interesting. This one hit us this weekend. It was notable in part because it looked like a text message, which makes the link in it less suspicious. Unfortunately for them, the site they hosted on set a cookie, so if you had cookie alerts turned on the IP address looked suspicious, and of course the URL in the header was bad. The page itself was a copy of the ebay login page, and submitting your info would redirect you to the real ebay login page after grabbing the password information. I informed the hosting provider and they shut it down, but it was up for more than 24 hours. I also sent mail to abuse () paypal com. I *hope* they have a way of mapping the referrer fields to the logins and can thus easily notify anyone who came into their site through the fake one, but I haven't heard back.
Return-Path: <service () paypal com> Received: from [202.134.170.3] (HELO paypal.com) by somewhere.com (CommuniGate Pro SMTP 3.5.7) with SMTP id 1849304 for nazgul () somewhere com; Sun, 08 Dec 2002 03:21:05 -0500 From: "PayPal Admin" <service () paypal com> To: <nazgul () somewhere com> Subject: 5 days for account suspension Sender: "PayPal Admin" <service () paypal com> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="= Multipart Boundary 1208021348" Date: Sun, 8 Dec 2002 13:48:55 +0530 Message-ID: <auto-000001849304 () somewhere com> <x-html><!x-stuff-for-pete base="" src="" id="0" charset=""><HTML> <HEAD> <META NAME="GENERATOR" Content="Microsoft DHTML Editing Control"> <TITLE></TITLE> </HEAD> <BODY> <DIV>Dear PayPal Member<BR><BR>According to the paypal policy, you have 5 days left before your account will be suspended due to prolonged inactivity.<BR><BR>To avoid this you must login to your account atleast once in 2 months.<BR><BR>To avoid suspension of your account please click the link below<BR><BR><A href="http://207.150.221.95/eaacl-co/paypal/index.asp?user=&id=&cmd_ login=F000000001&a=ad8258ed60d767d50ef1e822ceff3db5addeaff28ad8998asdc60 d767d50ef1e822ceff3db5addeaff28ad8998asdc">https://www.paypal.com/cgi-bin/we bscr?cmd=_login-run</A> <BR><BR>If you have checked your paypal in the last 2 months and are still recieving this mail, please inform us at paypal_info () paypal com<BR><BR><BR><BR> <HR> Copyright © 2002 PayPal. All rights reserved.</DIV> </BODY> </HTML> </x-html>
-- Kee Hinckley - Somewhere.Com, LLC http://consulting.somewhere.com/ I'm not sure which upsets me more: that people are so unwilling to accept responsibility for their own actions, or that they are so eager to regulate everyone else's. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- EBay Fraud Attempt Logan F.D. Greenlee (Dec 08)
- Re: EBay Fraud Attempt jlewis (Dec 09)
- Re: EBay Fraud Attempt Chris A. Mattingly (Dec 11)
- Re: EBay Fraud Attempt Kee Hinckley (Dec 11)
- Re: EBay Fraud Attempt Waitman C. Gobble, II (Dec 09)
- <Possible follow-ups>
- Re: EBay Fraud Attempt Stephen Friedl (Dec 09)
- Re: EBay Fraud Attempt Stephen J. Friedl (Dec 11)
- Fwd: EBay Fraud Attempt Dave Laird (Dec 09)
- RE: EBay Fraud Attempt Carlo Costanzo (Dec 11)
- Re: EBay Fraud Attempt Dave Laird (Dec 11)
- Re: EBay Fraud Attempt Mark (Dec 11)
- RE: EBay Fraud Attempt Carlo Costanzo (Dec 11)
- RE: EBay Fraud Attempt george . wasgatt (Dec 11)
- RE: EBay Fraud Attempt OBrien, Brennan (Dec 11)
- RE: EBay Fraud Attempt Chris Gordon (Dec 11)
- Re: EBay Fraud Attempt jlewis (Dec 09)