Re: EBay Fraud Attempt

[Kee Hinckley <nazgul () somewhere com>]

>  > Hello All,
> >         About 24 Hours ago I received an e-mail from "EBay Billing" with
> >  the subject of "EBay Billing Error". However, I have not conducted any
>  > transactions in months, so I became suspicious. The text of the e-mail

Interesting.  This one hit us this weekend.  It was notable in part
because it looked like a text message, which makes the link in it
less suspicious.  Unfortunately for them, the site they hosted on set
a cookie, so if you had cookie alerts turned on the IP address looked
suspicious, and of course the URL in the header was bad.  The page
itself was a copy of the ebay login page, and submitting your info
would redirect you to the real ebay login page after grabbing the
password information.

I informed the hosting provider and they shut it down, but it was up
for more than 24 hours.  I also sent mail to abuse () paypal com.  I
*hope* they have a way of mapping the referrer fields to the logins
and can thus easily notify anyone who came into their site through
the fake one, but I haven't heard back.

> Return-Path: <service () paypal com>
> Received: from [202.134.170.3] (HELO paypal.com)
>    by somewhere.com (CommuniGate Pro SMTP 3.5.7)
>    with SMTP id 1849304 for nazgul () somewhere com; Sun, 08 Dec 2002
> 03:21:05 -0500
> From: "PayPal Admin" <service () paypal com>
> To: <nazgul () somewhere com>
> Subject: 5 days for account suspension
> Sender: "PayPal Admin" <service () paypal com>
> Mime-Version: 1.0
> Content-Type: multipart/alternative;
>         boundary="= Multipart Boundary 1208021348"
> Date: Sun, 8 Dec 2002 13:48:55 +0530
> Message-ID: <auto-000001849304 () somewhere com>
>
> <x-html><!x-stuff-for-pete base="" src="" id="0" charset=""><HTML>
> <HEAD>
> <META NAME="GENERATOR" Content="Microsoft DHTML Editing Control">
> <TITLE></TITLE>
> </HEAD>
> <BODY>
> <DIV>Dear PayPal Member<BR><BR>According to the paypal
> policy, you have 5 days left before your account will be suspended due to
> prolonged inactivity.<BR><BR>To avoid this you must login to your account
> atleast once in 2 months.<BR><BR>To avoid suspension of your account please
> click the link below<BR><BR><A
> href="http://207.150.221.95/eaacl-co/paypal/index.asp?user=&amp;id=&amp;cmd_
> login=F000000001&amp;a=ad8258ed60d767d50ef1e822ceff3db5addeaff28ad8998asdc60
> d767d50ef1e822ceff3db5addeaff28ad8998asdc">https://www.paypal.com/cgi-bin/we
> bscr?cmd=_login-run</A>
> <BR><BR>If you have checked your paypal in the last 2 months and are still
> recieving this mail, please inform us at
> paypal_info () paypal com<BR><BR><BR><BR>
> <HR>
> Copyright © 2002 PayPal. All rights reserved.</DIV>
> </BODY>
> </HTML>
>
> </x-html>

--

Kee Hinckley - Somewhere.Com, LLC
http://consulting.somewhere.com/

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com